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Abstract 


Cryptography, as a means for sending secret information over insecure communication 
channels, is thousands of years old. Since the birth of public key cryptography in 
1976, many public key cryptosystems have been proposed and many have been broken. 
Security of some of these schemes has been seriously threatened by the recent advances 
in computing discrete logarithms and integer factorisation. 

Elliptic curve cryptosystems seem to be an efficient and viable alternative for the 
conventional systems. Security of these cryptosystems depends on the difficulty in 
finding discrete logarithm on an elliptic curve, called elliptic curve discrete logarithm 
problem (EDLP). Protocols implemented using elliptic curves have the advantage of 
having smaller keys than the existing systems for the same level of security. 

In this thesis we have studied the issues involved in the implementation of cryptosys- 
tems, with specific reference to elliptic curve cryptosystems. Methods for optimising 
various computations in cryptosystems have been implemented and their timing details 
have been tabulated. The speed-up obtained by these optimisations has been demon- 
strated by implementing the well known RSA algorithm. A library for performing elliptic 
curve computations has been built. Finally elliptic curve analog of RSA and EIGamal 
schemes have been implemented and their throughput tabulated. 
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Chapter 1 
Introduc;;ion 


Cryptography, as a means for sending secret information over insecure commu- 
nication channels, is thousands of years old. Today communication networks are 
being extensively used by banks, industrial and government organisations to convey 
highly sensitive and privileged information. In this context, information security 
and authentication has become extremely important and much attention has been 
focussed onto this area. 

A turning point in the field of cryptography came in 1976 when Difiie and 
Heilman came up with the notion of public key cryptography. It opened up a new era 
in cryptography with the possibility of secret communication without any transfer 
of secret keys. In the years that have followed, many public key cryptosystems have 
been proposed and many have been broken. RSA and ElGamal systems, which 
have stood the test of time, are worth mentioning. RSA is based on the difficulty of 
factoring large numbers and ElGamal is based on the difficulty of finding logarit hms 
in finite fields. Security of these systems has been seriously threatened by the recent 
advances in computing discrete logarithms and integer factorisation [52]. 

Elliptic curves provide a viable and efficient alternative for the conventional 
systems. Set of rational points satisfying Weierstrass equation over finite fields, 
commonly known as elliptic curves over finite fields, provide a rich class of abelian 
groups. Elliptic curves over a finite field Fp or a ring can be applied to implement 
analogs of the Diffie-Hellman scheme, ElGamal scheme and RSA scheme, as well as 
primality testing and integer factorization. Cryptosystems based on elliptic curves, 
calle4 elliptic curve cryptosystems, were first proposed by Koblitz and Miller ([31], 
[44]). The security of these systems depends on the difficulty in finding discrete 
logarithm on an elliptic curve called Elliptic Curve Discrete Logarithm Problem 
(EDLP). EDLP over a field K is harder than the DLP for the same K. Protocols 
implemented using elliptic curves have the advantage of having smaller keys than the 
existing systems for the same level of security. Thus elliptic curve cryptosystems are 
useful in applications like "smart cards" where both memory and processing power 
is limited. Smaller key length implies smaller data size and silicon area apart from 
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smaller bandwidth and memory requirements. Another advantage is that the users 
can choose different elliptic curves and still use the same hardware for performing 
underlying operations in the field over which the curves are defined. 

By appropriately choosing the curve, one can have a secure crypto.system on 
E/Fg, if the order of the curve is divisible only by a prime more than 30 digits 
[24]. It is conjectured that the low exponent attack on the RSA scheme cannot be 
analogously applied to the attack on the elliptic RSA scheme using a low multiplier 
([36), [37|). 

In cryptosytems like RSA, computations of the type il/‘’(mod n) are common 
and have to be performed repeatedly. Modular arithmetic and exponentiations are 
extremely time consuming with the parameters used in the algorithm, which are 
integers, typically of size 200 digits. Hence an efficient technique to perform these 
computations speeds up the overall performance of the system substantially. 

The basic operation performed on an elliptic curve is the computation of d* P, 
multiplicity of a point P on the elliptic curve modulo n, which corresponds to the 
computation of AP mod n. For a large n and e, the time complexity of elementary 
operations as well as the nimiber of elementary operation are very high. Thus, re- 
ducing the number of such operations is important when implementing the above 
algorithms. Methods for efficient exponentiation have been applied to the compu- 
tation of multiplicity of points. 

In the present work we have studied the issues involved in the implementation of 
cryptosystems, with specific reference to elliptic curve cryptosystems. Montgomery 
reduction [45] has been implemented and signed binary window method [28] has 
been used for exponent reduction. Timing details have been tabulated. Implemen- 
tation of crypto.sys terns over elliptic curves has been demonstrated through RSA 
and ElGamal schemes. 

The thesis is organised as follows; 

• Chapter 2 gives a brief overview of cryptography. 

• Chapter 3 gives <in overview of elliptic curves and elliptic curve crypto.systems. 

• In chapter 4, issues involved in implementing a cryptosystem have been pre- 
sented. MultiPrecision arithmetic, and modular computations have been di.s- 
cussed. Montgomery’s method for modular reduction has been discussed iu 
detail. 

• Chapter 5 gives a detailed account of the various implementations done as part 
of this thesis. The performance of basic computations has been demonstrat<'d 
by implementing the RSA algorithm. Elliptic curve cryptosysttuns have Ixhhi 
demonstrated by implementing elliptic curve analog of RSA and ElGamal 
schemes and their throughput is tabulated. 
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An Overview of Cryptography 


2.1 Introduction 

Cryptography ([15], [11], [34], [10], [18], [17]) is the art and science of securing infor- 
mation. It deals with the transformation of ordinary text, also known as plaintext, 
into an unintelligible form, known as ciphertext (CRYPTOGRAM), and vice versa. 
Transformation of plaintext into ciphertext is called encryption, and that of cipher- 
text into plaintext is called decryption. This is shown in Figure 2.1. Normally these 
transformations are controlled by one or more parameters referred to as keys. A key 
can take on one of many values. The range of possible values of the key is called the 
keyspace. A sender enciphers each message before transmission. The authorised re- 
ceiver knows the appropriate deciphering function to apply to the received message 
to obtain the original message. An eavesdropper who intercepts the transmitted 
message gets only "garbage" (the ciphertext) which makes no sense to him since he 
does not know how to decr3T3t it. 

Complementary to cryptography is cryptanalysis, the art and science of breaking 
ciphertext. Cryptology is the branch of mathematics embodying both cryptography 
and cryptanalysis. 


Original 

f Plaintext r - - Ciphertext r Plaintext 

[ ► Encryption ■ ► Decryption ► 


Figure 2.1; Encryption and Decryption 
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The motivation for eacryption is secure transmission over insecure channels. 
Sender of a message should be assured that nobody can intercept and read or 
modify the message or be able to fabricate a realistic looking message. 

Three of the most important services provided by cryptosystems are secrecy, 
authenticity, and integrity. Secrecy refers to denial of access to information by 
unauthorized individuals. Authenticity refers to validating the source of a message; 
i.e., that it was transmitted by a properly identified sender. Integrity refers to 
assurance that a message was not modified accidentally or deliberately in transit 
by replacement, insertion or deletion. Classical cr 3 ^tography deals mainly with the 
secrecy aspect and it treats keys as secret. In later years two new trends emerged: 

• The concept of public key. 

• Authenticity. 

The notion of public key arose from the difiiculties traditionally associated with 
the management of secret keys. By making the keys public, the task of key man- 
agement can be substantially simplified. 

Authenticity has acquired great importance in the light of applications such as 
electronic mail systems and electronic fimds transfers. In such settings, an electronic 
equivalent of handwritten signature is desirable. Also, intruders into a system often 
gain entry by masquerading as legitimate users; so an alternative to password sys- 
tems is needed for access control. This leads to the concept of "Digital Signatures". 
An ideal system, which can solve all of these problems concrirrently, providing both 
secrecy and authenticity, is Public Key Cryptosystem(PKC) . Unfortimately no sin- 
gle technique proposed to date has met all the three criteria. Conventional systems 
such as DES require management of secret keys; systems using public key compo- 
nents may provide authenticity but are inefficient for bulk encryption of data due 
to low throughput. 

Fortunately, conventional and public key systems are not mutually exclusive and 
they can complement each other. Public key systems can be used for signatures and 
also for the distribution of keys used in systems such as DES. Thus it is possible to 
construct hybrids of conventional and public key systems which can meet all of the 
above goals: secrecy, authenticity and ease of key management. 


2.2 Requirements of a Cryptosystem 

A cryptosystem has the following components: 

• A plaintext message space, M. 

• A ciphertext space, C. 

• A key space, K. 

• A set of enciphering transformations, Ek : M — > C, where K G K. 
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• A set of deciphering transformations, : C — »• M, where iiT G K. 

Let Ek and Dk represent the encryption and decryption transformations re- 
spectively and E and D be the respective algorithms. It is always required that 
D{E{M)) = M where M is the message. It may also be the case that E{D{M)) = 
M] in this event either E or D can be employed for encryption. It may be as- 
sumed that Ek and Dk are relatively easy to compute when K is known. The set 
of parameters describing Ek is called the enciphering key and that of Dk is the 
deciphering key. 

Any cr 3 rptosystem must satisfy [15] the following requirements: 

• The enciphering and deciphering transformations must be efficient for all keys. 

• The system must be easy to use with a large keyspace. This discourages an 
exhaustive search. 

• The security of the system should depend only on the secrecy of the keys and 
not on the secrecy of the algorithms. 


2.2.1 Requirements for Secrecy 

Secrecy requires that a cryptanalyst should not be able to determine the plaintext 
corresponding to given ciphertext, and should not be able to reconstruct D by 
examining ciphertext for known plaintext. This translates into two requirements 
[15] for a cryptosystem to provide secrecy; 

• A cryptanalyst should not be able to determine M from E{M); i.e. the 
cryptosystem should be immune to ciphertext-only attacks. 

• A cryptanalyst should not be able to determine D given {E{Mi)} for any 
sequence of plaintexts {A/i, ilT, . . .}; i.e. the cryptosystem should be im- 
mmie to known-plaintext attacks. This should remain true even when the 
cryptanalyst can choose {AL} (chosen-plaintext attack), including the case 
in which the cryptanalyst can inspect {E{Mi ), . . . , E{Mj)} before specifying 
A/j ^.1 (adaptive chosen-plaintext attack). 

It is to be noted that secrecy only ensures that decryption of a message by an 
intruder is infeasible. It does not imply authenticity or integrity. 
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2.2.2 Requirements for Authenticity and Integrity 

Authenticity [15] requires that an intruder should not be able to masquerade as 
a legitimate user of a system. Integrity requires that an intruder should not be 
able to substitute false ciphertext for legitimate ciphertext. Following minim a] 
requirements should be met for a cryptosystem to provide these services: 


• It should be possible for the recipient of a message to ascertain its origin. 

• It should be possible for the recipient of a message to verify that it has not 
been modified in transit. 

• A sender should not be able to deny later that he sent a message. 

• It should be possible for the recipient of a message to detect whether it is a 
replay of a previous transmission. 


These requirements are independent of secrecy. 


2.3 Classification 

There are two fundamental classifications ([10], [18], [15]) of cryptosystems. 

• Restricted use cryptosystems 

• General use cryptosystems 

A cryptosystem is restricted if its security relies on keeping the underlying algo- 
rithms secret. These systems provide inadequate security and only have historical 
significance. Breaking such systems is almost always a simple exercise for a pro- 
fessional cryptanalyst. These systems are of no relevance in the modern context. 
Security of a general cryptosystem depends on the secrecy of the key rather than 
the algorithm. It can be further classified into: 

• Secret key or symmetric key cryptosystem. 

• Public key or cisymmetric key cryptosystem. 

2.3.1 Secret Key Cryptosystem 

In a secret key cryptosystem, E and D are parameterized by a single key K, so that 
we have Dk{Ek{M)) = M. In this system, both the sender and the receiver agree 
on a single, common key before actually communicating as shown in the Figure 2.2. 
Tliis exchange of the key is through a secure medium. Since both the encryption 
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Key 


Original 

Plaintext f - Ciphertext , ^ . Plaintext 

► Encryption ■ ► Decryption " 


Figure 2.2: S)rinmetric Key Cryptosystem 

and decr 3 rptioa keys are same, these systems are also known as symmetric key 
cryptosystems. 

A typical secret key protocol will be as follows. Asha and Balu, who want to 
communicate secretly, decide on a secret key K. If Asha wants to send a message 
m € M to Balu, she uses the enciphering algorithm Ek to produce C = Ek{M) and 
sends C to Balu over an insecure channel. Balu uses the algorithm to recover 
m = Dk{C). Clearly, the security of the system depends on the secrecy of the 
key K. Secrecy and authenticity are both provided since an eavesdropper cannot 
compute Dk{C) and a would-be masquerader cannot compute Ek{M). In some 
cases (for e.g. transmission of a random bit string), this does not assure integrity; 
i.e. modification of a message enroute may be undetected. Tyrpically integrity is 
provided by sending a compressed form of the message (a message digest) along 
with the full message as a check. In practice, the actual message is too long to be 
enciphered directly. So it has to be broken into pieces and enciphered repeatedly. 
If message is broken into groups of bits, called blocks, then that cipher system is 
called a block cipher. Some operate on the plaintext one bit at a time and are 
called stream ciphers. ' 

The most notable example of a secret key cryptosystem is DES (Data Encryption 
Standard). It is a block cipher with a block size of 64 bits. We will not get into any 
more details of this system as we are more concerned about public key cryptosystems 
in this thesis. 

2.3.2 Public Key Cryptosystem (PKC) 

Secret key cryptosystems have an inherent problem known as the "key distribution 
problem" caused by the need for a common secret key. Before a private communica- 
tion can begin, another private transaction is necessary to distribute corresponding 
encryption and decryption keys to the sender and receiver, respectively. Typically a 
secure medium is used to carry a key from the sender to the receiver. In this there is 
a danger that an unauthorized person might intercept and obtain these keys while 
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Plaintext 


Encryption 

Key 


Encryption 


Ciphertext 


Decryption 

Key 


Decryption - 


Original 

Plaintext 


Figure 2.3: Asymmetric Key Cryptosystem 

the keys are being communicated. In real complex sytems in which the keys are 
very large, maintaining the secrecy of the keys can be as troublesome as maintain- 
ing the secrecy of the text to be transmitted. Also, in case of a network, where a 
person needs to communicate to many persons, a large keyspace is required. Thus 
such a practice is not feasible if a communication system is to be rapid, secured and 
inexpensive. 

In 1976, DifSe and Heilman [18] came up with the notion of public key cryptogra- 
phy. By having separate keys for encryption and decryption, public key (asymmet- 
ric key) cryptography provides both a mechanism for transmitting secret messages 
without prior exchange of a secret key and a method of implementing digital signa- 
tures. 

Public key cryptography differs from conventional cryptography in the way the 
key is used. In case of PKC there are two different keys; the encryption key and the 
decryption key as shown in Figure 2.3. Hence the name two-key or asymmptn'c key 
cryptosystem. Each user places in a public file his encryption key (procedure) E. 
This public file is a directory giving the encryption key of each user. The user keeps 
secret the details of his corresponding decryption key (procedure) D. Thus each user 
can encrypt messages. However, without knowing the decryption key, messages sent 
by other users cannot be efficiently decrypted. Thus, this system provides a unique 
and powerful method of implementing a multi-user security system. 

The procedures of PKC have the following four properties [49] : 

(a) Deciphering the enciphered form of a message M yields M. i.e., D{E{M)) = M. 

(b) Both E and D are easy to compute. 

(c) By publicly revealing E the user does not reveal an easy way to compute D. 

This means that in practice only he can decrypt messages encrypted with E, 
or compute D efficiently. 

(d) If a message M is first deciphered and then enciphered, M is the result. For- 

mally, E{D{M)) = M. 
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An encryption (or decryption) procedure typically consists of a general method 
and an encryption key. The general method, under control of the key, enciphers 
a message M to obtain the enciphered form of the message, called the ciphertext 
C. Everyone can use the same general method; the security of a given procedure 
will rest on the security of the key. Revealing an encryption algorit hm then means 
revealing the key. 

When the user reveals E he reveals a very inefficient method of computing D{C): 
testing all possible messages M until one such that E{M) = C is found. If property 
(c) is satisfied the number of such messages to test will be so large that this approach 
is impractical. 

A function E satisfying (a)-(c) is called a "trap-door one-way fimction"; if it 
also satisfies (d) it is a "trap-door one-way permutation". These functions are 
called "one-way" because they are easy to compute in one direction but very diffi- 
cult to compute in the other direction. They are called "trap-door" functions since 
the inverse functions are in fact easy to compute once certain private "trap-door" 
information is known. Property (d) facilitates the implementation of "Digital Sig- 
natures". As an example let us examine how Balu sends a secret message M to 
Asha in a public key cryptosystem. 

First, Balu retrieves (public key of Asha) from the public file. Then he sends 
her the enciphered message Ea{M). Asha deciphers the message by computing 
Da{Ea{M)) = M. By property (c) of the public key cryptosystem, only she can 
decipher Ea{M). Also she can encipher a private response with Eb, available in 
the public file. It is important to note that no private transactions between Asha 
and Balu are needed to establish private communication. 

In 1978, Rivest, Shamir, and Adleman [49] of MIT published the first method of 
realizing public key cryptography. Their scheme, called the RSA system, is based on 
perfor ming exponentiations in modular arithmetic. In the years that have followed, 
many public key cryptosystems have been proposed (and many have been broken). 
Currently, there are two kinds of systems that are considered viable and have been 
implemented: 

• systems based on the difficulty of factoring the product of two large primes, 
and 

• systems based on the difficulty in finding logarithms in a finite field (commonly 
known as discrete logarithm). 

RSA system is the most popular of these public key systems and is potentially an 
extremely valuable cryptographic technique. Its security is based on the difficulty 
of factoring large numbers. ElGamal [23] proposed a public key cryptosystem and a 
signature scheme based on the discrete logarithm problem. We will briefly describe 
some of the encryption schemes in the following sections. 
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2.3.3 DifSe-Hellman Key Distribution Scheme 

DifEe-Hellman [18] proposed the following scheme for key exchange. Suppose that 
Asha and Balu want to share a secret Kab, where Asha has a secret xa and Balu 
has a secret xb- Let p be a large prime and a be a primitive element mod p, both 
public. Asha computes mod p, and sends y^. Similarly, Balu computes 

Us = ot^° mod p and sends y^. Then the secret Kab is computed as 


Kab = mod p 

= y^° mod p 
= y^^ mod p. 

Hence both Asha and Balu are able to compute Kab- But, for an intruder, com- 
puting Kab is extremely difficult and is a discrete logarithm problem. 

In any of the cryptographic systems based on discrete logarithms, p must be 
chosen such that p — 1 has at least one large prime factor. If p — 1 has only small 
prime factors, then computing discrete logarithms is comparatively easy. 

2.3.4 ElGamal Scheme 

In 1985, ElGamal[23] proposed a new encryption scheme, based on the implemen- 
tation of the Diffie-Hellman key distribution scheme, that achieves a public key 
cryptosystem. The security of both the systems relies on the difficulty of comput- 
ing discrete logarithms over finite fields. 

In this scheme, each user i picks up a large prime p and a primitive element mod 
p say, a. He also chooses a random Sj between 0 and p — 1 and computes 

Hi = mod p 

yi, a and p are made public and put in a public file. Xi is the secret key of the user 
i. 

Now suppose that Asha wants to send Balu a message m, where 0 < m < p — 1. 
First Asha chooses a number k uniformly between 0 and’p — 1. Then she computes 

K = i/g mod p, (2.1) 

where ya is the public key of Balu. The encrypted message (ciphertext) is then the 
pair (ci,C 2 ), where 


Cl = mod p 


and 


ct = Km mod p 


( 2 . 2 ) 
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Table 2.1: ELGamal Scheme 


PUBLIC KEY: 

p prime (can be shared among a group of users) 
a < p (can be shared among a group of users) 

Vi = (mod p) 

PRIVATE KEY: 

ENCRYPTION: 

0 < A: < p — 1 
K = y|(mod p) 

Cl = a:^(mod p) 

C 2 = Km{mod p) 

DECRYPTION: 

K = = Ci^(mod p) 

m = co/K (mod p) 


and K is as computed in 2.1. 

The decryption operation splits into two parts. The first step is recovering K, 
which is easy for Balu since K = mod p, and scs is known to Balu 

only. The second step is to divide co by K and recover the message m. Table 2.1 
summarizes the ElGamal scheme. 

In this scheme the size of the ciphertext is double the size of the message. Also, 
the multiplication operation in 2.2 can be replaced by any other invertible operation 
such as addition modp. The same value k should not be used for enciphering more 
than one block of the message, since if k is used more than once, knowledge of one 
block mi of the message enables an intruder to compute other blocks. 

Due to the randomization in the enciphering operation, the cipher text for a 
given message m is not repeated. Also, due to the structure of this system, there 
is no obvious relation between the enciphering of mi, m 2 , and m-imo, or any other 
simple function of mi and mo. For the enciphering operation, two exponentiations 
are required. That is equivalent to about 2logp multiplications in GF{p). For the 
deciphering operation only one exponentiation (plus one division) is needed. 

Breaking the system is equivalent to breaking the Diffie-Hellman distribution 
scheme. First, if m can be computed from ci, C 2 , and y, then K can also be computed 
firom y, Ci, and co (which appears Uke a random number since k and m are unknown). 
That is equivalent to breaking the distribution scheme. Second, (even if m is known) 
computing k or x firom ci, C 2 , and y is equivalent to computing discrete logaritluns. 
The reason is that both x and k appear in the exponent in y and ci. 
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2.3.5 RSA Scheme 

RSA Scheme [49] is an exponentiation cipher and involves modular exponentiation. 
The enciphering and deciphering transformations are based on Euler’s generalisation 
of Fermat’s Theorem. Let us look into some definitions([15], [47]) before discussing 
the RSA scheme. 

Definition 1 Given an integer n, (f>{n) is the number of- elements in the re- 
duced set of residues modulo n, i.e., <i>{ri) is the number of positive integers 
less than n that are relatively prime to n. 

In general, for an arbitrary n, ^(n) is given by 

- 1 ) 
i=i 

where 

n = pI^pI- ■ ■ -pf 

Fermat’s Little Theorem 1 Let n be a prime. Then for every a such that 
gcd{a,n) = 1 , 

= 1 (mod n) (2.4.2) 

Euler provided a generalised version of the above theorem as follows. 

Euler’s generalisation 1 For every a and n such that gcd{a, n) = 1 , 

= 1 (mod n) (2.4.3) 


RSA Procedure [49] 

The encryption key is a pair of positive integers (e, n). Similarly, the decryption 
key is a pair of positive integers (d, n). Each user makes his encryption key public, 
and keeps the corresponding decryption key private. 

Each user computes n as the product of two primes p and q, n = p * q. These 
primes are very large, "random" primes. Although n is public, the factors p and q 
are kept secret. This also hides the way d can be derived from e. d is chosen to be a 
large, random integer which is relatively prime to (p{n) where <^n) = (p — 1 ) *(g- 1 )- 
That is, d satisfies: 


gcd(d, (p - 1 ) * (<? - 1 )) = 1 


The integer e is computed from p, 5 , and d to be the "multiplicative inverse" of 
d, modulo ip — 1) * {q— !)• Thus we have 


e*d = l(mod (p — 1 ) * (<? — 1 )) 
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Table 2.2: RSA Encryption 


PUBLIC KEY: 

n product of two primes, p and q (p and q must remain secret) 
e relatively prime to (p — 1) x (g — 1) 

PRIVATE KEY: 

d e~^(mod (p — 1) x (g — 1)) 

ENCRYPTING: 

c = m®(mod n) 

DECRYPTING: 

m = c‘^(mod n) 


Steps for encrypting a message M, using a public encryption key (e,n), where e 
and n are a pair of positive integers, is as follows. The message is represented as 
an integer between 0 and n-1. A long message is broken into a series of blocks and 
each block is represented as such as an integer. This converts the message blocks 
into numeric form necessary for encryption. 

The message is encrypted by raising it to the power modulo n. To decrypt 
the ciphertext, it is raised to another power d, modulo n. The encryption and de- 
cryption algorithms E and D axe thus : 

C = E{M) = (mod n), for a message M. 

AI = D{C) = (mod n), for a ciphertext C. 

Table 2.2 summarizes the RSA scheme. It is to be noted that encryption does 
not increase the size of a message; both the message and the ciphertext are integers 
in the range 0 to n-1. Since ^(n) cannot be determined without knowing the prime 
factors p and q, it is possible to keep d secret even if e and n are made public. 
This means that the RSA scheme can be used for public key encryption, where the 
enciphering transformation is made public and the deciphering transformation is 
kept secret. The security of the system depends on the difficulty of factoring n into 
p and q. 


2.3.6 Applicability and Limitations 

The range of applicability of public key systems is limited in practice by its relatively 
low throughput, compared to their conventional counterparts. The low efficiency is 
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due to the computationally intensive encryption and decryption operations. This 
precludes the use of public key systems as replacements for conventional systems 
and makes their use for bulk data encryption infeasible, at least for the present. 
Inspite of these limitations, there are two major application areas for public key 
cr 3 rptosystems: 

• Distribution of secret keys. 

• Digital signatures. 

No bulk encryption is needed when PKC is used to distribute keys, since the 
latter are generally short. Also, digital signatures are generally applied only to 
outputs of hash functions. These hash functions are public functions that maps 
a message of any length into a fixed-length value called hash value, which serves 
as an authenticator. In both the cases the data to be encrypted or decrypted is 
restricted in size. Thus the throughput (bits/sec) limitation of PKC is not a major 
limitation for either application. 



Chapter 3 


Elliptic Curves and 
Cryptosystems 


3.1 Introduction 

The set of points on an elliptic curve E defined over a field K form an abelian 
group. These provide a rich class of abelian groups making them attractive for 
cryptographic implementations. Koblitz and Iv'liller[31] [44], proposed a variant of 
discrete log cryptography based on the elliptic curve discrete log problem (EDLP) 
in the group of points of an elliptic curve defined over a finite field. The security 
of these systems is based on the EDLP. These cryptosystems have two potential 
advantages over systems based on the multiplicative group of a finite field (and also 
over systems based on RSA). 

• the great diversity of elliptic curves available to provide the groups; and 

• the absence of subexponential time algorithms (such as those of ‘index calcu- 
lus’ type) that could find discrete logs in these groups. 

Recently, they have been used in devising efficient algorithms for factoring in- 
tegers and for primality proving. In the. field of cryptography, elliptic ciuves have 
found applications in the construction of public key cryptosystems and in the con- 
struction of pseudorandom bit generators and one-way permutations. Other uses 
of elliptic curves are found in coding theory, where they are used to obtain good 
error-correcting codes. 

Elliptic curve cryptosystems potentially provide equivalent security as the ex- 
isting public key schemes, but with shorter key lengths. Having short key lengtlis 
means smaller bandwidth and memory requirements and can be a crucial factor in 
some applications, for example the design of smart card systems. 
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3.2 Motivation 

Although the discrete logarithm problem, as first employed by Diflfie and Heilman 
in their public key exchange algorithm, referred explicitly to the problem of finding 
logarithms with respect to a primitive element in the multiplicative group of the 
field of integers modulo a prime p, this idea can be extended to arbitrary groups, 
with the difl&culty of the problem varying with the representation of the group. 

Consider a finite group G, and let a and b be elements of G. Then determining 
a value x such that a® = 6 is the discrete logarithm problem for G. The value for x 
is called as logarithm of b to the base a, and is denoted by log„b. The difficulty of 
determining this quantity depends on the representation of G. If the abstract cyclic 
group of order m is represented in the form of the integers modulo m, then the 
discrete logarithm problem reduces to the extended Euclidean algorithm. However, 
if m + 1 is prime, and the group is represented in the form of the multiplicative 
group of the finite field the problem is much more difficult. If the group is 

represented as an elliptic curve group over a finite field, then the problem is again 
much more difficult. This makes elliptic curves a good candidate for cryptosystem 
design. 


3.3 Review of Elliptic Curves 

In this section we briefly review the Elliptic curves [38], [34], [51], [53]. 

Defllnition 2 An elliptic curve E{Fq) over a field Fq is defined as set of all 
points {x,y) £ Fq x Fq that are the solutions of the W eierstrass Equation 

E \ ifi F aixy + a-^y = + aox^ + a^x + a^ (3-1) 

where Uj € Fq for i £ Z such that E{Fq) is non-singular. 

Let us define the following quantities 
do — 4tt2 

d^ = 2(14 " 1 ” ci\o>z 

(ig = U 3 + 4ag 

0 0 0 
dg = ^1^ 4 ci 2 ^ — did^d^. 4 ” ^2^3 — ^4 

C4 = ^2 — 2Ad4 


= — — Sd^ — 27dg + Odod^d^ 

_ M 

A 


and 


A 

m 


(3.2) 

(3.3) 
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The quantity A is called the discriminant of the weierstrass equation and j{E) is 
called the j-invariant of if A ^ 0. The following theorems explain the significance 
of these quantities. 

Theorem 1 Let E be the given weierstrass equation(3.1). Then E is an ellip- 
tic curve, i.e., the weierstrass equation is non-singular if and only if A j^Q. 

Theorem 2 Two elliptic curves Ei{Ff) and E 2 {Ff) given^by the non-singular 
weierstrass equations : 

Ei:y'^-\- a\xy + a!^y = + aU' + + Og 

E 2 ' y^ + a[xy + CL^y = x^ a'oX' + a'^x + a'g 

are isomorphic over Fq, denoted by Ei = E 2 , if and only if there exist variables 
u, r,s,tE Fq, u ^0, such that the change of variables 

{x, y) — > (u~x + r, i^y + u“ss + t) 

transforms equation Ei to equation E 2 . The relation of isomorphism is an 
equivalence relation. 

Properties of Elliptic Curves 

Theorem 3 If two elliptic curves Ei{Fq) and EoiFf) are isomorphic over Fq, 
then j [El) =^'(£' 2 ). If two elliptic curves are isomorphic, then they are also 
isomorphic as abelian groups. 

The converse statement is not true in general. 

Theorem 4 (Hasse) Let ^E{Fq) be the order of an elliptic curve group E{Fq) 
defined over a field Fq with q elements. Then 

or 

#E{Fq) = q+l-t 

where q + 1 is the expected number of solutions and t is the discrepency as 
(by Riemann Hypothesis for Abelian Variants of dimension 1 ) 

lt| < 2\/g 

The curve E{Fq) is said to be supersingular i£ ir = 0,q,2q,3q,oi:4q and non- 
supersingular otherwise. Nonsupersingular curves are also referred to as ordinary 
curves. If the characteristic of Fq is 2 or 3, then a curve over Fq is supersingular if 
and only if it heis j-invariant equal to zero. In case of characteristic > 3, the curve 
is supersingular iff its group has cardinality qVl. The curve E can be viewed as 
an elliptic curve over any extention field of E{Fq). 
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Theorem 5 (Cassels) The group E{Fq) is either cyclic or the product of two 
cyclic groups of order rrti and m 2 satisfying 

mi I m 2 , mi\gcd{m,q — 1) 

where m = ^E{Fq) and Fq has q elements. 

Corollary If ^E{Ff) is squarefree, then surely E[Ff) is cyclic. 

Remark Similarly for the other case, if ifE{Fq) is non-squarefree, then E(Fq) 
need not be a cyclic group. 


For various characteristics of the field K denoted by char{K), the weierstrass 
equation (3.1) can be simplified by means of coordinate transformation. 

Elliptic Curves over iiT, char(E') 2, 3 If char[K) 2, then the following 
change of variables 


(s,y) — >{x,y- 


dj so ^3 > 


transform E given by equation(3.1) to E' over K, where E = E' as below. 


E ' ; y — ■}■ box' -I- h^x -t- 


where 


at 


bo = ao ^ — - 
4 


h 

andfee 


Ci + 


aiaa 


Cbo 


Og + — . 

4 


If char{K) ^ 2, 3, then by further change of variables 

(®,y) ■ 

we get, 

E" : y~ = x^ F ax + b 


x-3bo y 
^ 36 ’ 216^ 


(3.4) 


E' ^ E" and hence E = E". The above equation is nothing but a weierstrass 
equation where ai = ao = a^ = 0, and is referred to as weierstrass short normal 
form. Applying this to the equations (3.2, 3.3) we get the following quantities 
specialised for the equation (3.4). ^ 

A = - 16(4a^ + 276-) , and 
j{E) = -1728(4a)3 
A 

Since E is non-singular, A ^ 0 and so we have the condition 

4a^ -I- 276- ^ 0 


from above. 
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Elliptic Curves over K, ch.ar(K) = 2 

Consider E, defined over a field K with characteristic 2, given by the general Weier- 
strass equation, 


E : y^ + aixy + a^y = + a2X~ + a^x + oe 

Using equation (3.3), we calculate the j-invariant for char{K) = 2 as 


,12 


m) = f 

Depending on j{E) there are two kinds of curves defined. 

• j-invariant equals zero 

Since j{E) = 0, we have ui = 0. By the following transformation 

9 : (x, y) — > (z + 02 , y) 


we get 


Ex', y' + a^y = x^ + a'^x -h a!^ 

where E{K) = Ei{K). From equations (3.2, 3.3) we obtain A = oz^ andj(Ei) 
0 . 


• j-invariant not equal to zero 
Consider the following transformation 


2 ^ 

ft \ / 2 I 3 , ^1 'b ^3 ^ 

i'.{x, y ) — ^ (aj® + — , afy -h 3 ) 

Cbi Gi 


We get 


E 2 '■ y~ + xy = x^ + a 2 X~ + 


From equations (3.2, 3.3) we obtain A = og and jiEr) = 


3.3.1 Elliptic Curve Group Structure 

The points on an elliptic curve alongwith a special point O called as point at infinity 
(the identity element) form an abelian group under certain addition operation. Let 
E be an elliptic curve defined by the weierstrass equation (3.1). Consider two points 
P,QeE. Then, addition is defined as follows: 

• a) O + P = P and P + O = P.{0 is the identity element) 
m b) -0 = 0. 

• c) If P = (si, t/i) ^ O, then -P = (xi, -yi - oiXi - az). 
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Figure 3.1: An elliptic curve over IZ. 

• d) If <5 = -P, then P + Q = 0. 

• e) If P ^ 0,Q 0,Q ^ —P, then let R be the third point of intersection of 

either the line PQ if P ^ Q or the tangent line to the curve at P if P = Q, 
with the curve. Then, P + Q = —R. 

As in any abelian group, the notation nP denotes P added to itself n times if 
n is positive, and — P added to itself In] times if n is negative, and OP = O. 
Explicit formulae for the group operation + is defined as following. Consider P = 
Q = (xo, yo) and let P + Q = (x 3 , y^) be points on the general elliptic curve 
equation given below 

E : y^ + a\xy + a^y = + aox" + a.iX 4- 
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Define 

' y2-yi 

~ 3xf + 2a2Xi + a 4 — aiyi 

\ 2?/i + aiXi + as 

Let (f = Hi — Xxi- Then, 


if P^Q 
if P = Q. 






+ aiA — a2 — Xi — X2 


yz — ~(A + ai)x3 — ip — az 

Figure (3.1) shows the geometric interpretation of addition of points. For two 
points Ml and Mo on the curve where Mi ^ Mo, the sum M 3 = Mi + M 2 is the 
mirror image of the third point P on the curve where the line joining Mi and M 2 
again meets the curve. If Mi — M 2 then the tangent line is used. The line joining 
the points Mi and A/o has a gradiant A given by the above formula; the alternative 
is derived from the limiting case when the chord becomes the tangent at Mi. This 
line intersects the curve at one further point P, whose negative is defined to be the 
sum of Ml and A/ 2 . One way of interpreting the addition law on E{Ftj) is to state 
that the three points P, Q, R are colinear if and only if 

P+Q+R^O 


Addition Formulae 


Elliptic curve over field K, char(iir) > 3 
Consider the elliptic curve 

E : y~ = x^ + ax + b 

If P = (a:i,yi) € E, then — P = (xi,— yi) and P + (— P) = O. Given another 
point Q — {x 2 ,y 2 ) £ E, it satisfies the above properties and if Q 7 ^ — P, then 
P + Q = (* 3 , 1 / 3 ) where 


0:3 = A" — xi — X 2 

yz = A(xi - X3) - yi 


where 


' yz- yi 


X= < 


X2 — Xi 

3.TT + a 


ifP#Q 


t 2yi 

Elliptic curve over field char (AC) = 2 


, ifP = Q 


(3.5) 

(3.6) 

(3.7) 
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• zero j-invariant elliptic curves {j{E) = 0). 

For this case the elliptic ciirve equation can be written as 

E :y^ + a^y = + a^x + 


and the addition formula is given as follows. 

IfP = (xi,yi) G E, then —P = {xi,yi+az) and P+{—P) = O. Given another 
point Q = {x2, y-^ G FJ, it satisfies the above properties and HQ ^ —P, then 
P + Q = {xz, yz) where 


and 


! iSP^Q 

. ^X 2 + Xi' 

' 4 1 2 

xj + al 


03 


if F = Q 


(x! + x^) ^ ^ ^ 

yz = < .3.2 , ^ 

' ( ^ )(®I + * 3 ) + i/l + <23> if P = Q 

i Ct.'i ' 


03 


non-zero j-invariant elliptic curves'(y(P) ^ 0). 

For this case, the elliptic curve equation can be written as 

E y~ xy = x^ ao-x' + ug 


and the addition formula is given as follows. 

IfP = (xi,yi) G E, then — P = (xi,yi-|-a3) and P-t-(— P) = O. Given another 
point Q = (x2, yo) ^ it satisfies the above properties and if Q 7^ — P, then 
P + Q = (X3. yz) where 


ry2 + 2 / 1 yi + y2 

, ^X2 -h Xj^ Xi + X 2 

' 2 ”, “6 

Xj -I g-, 

'■rr* 


-|- xi -b X2 + a2, 


HP 

HP = Q. 


yz 


- { ^ (®i + X 3 ) + yi -b X 3 . HP 

^ ^X2 + xH 

'■ xj + (xi -b — ^X3 + X3, if P = Q 


and 
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3.4 Elliptic Curves over a Ring 

We now consider elliptic curves over the ring ([38], [35]), where n is an odd 
composite squarefree integer. An elliptic curve En{a, b) can be defined as the set 
of pairs (x, y) G satisfying + ax + 5(mod n), together with a point 

O at infinity. An addition operation on En{a, b) can be defined in the same way 
as the addition operation on Eq{a,b), simply by replacing computations in Fg by 
computations in Zn- However, two problems occur. The first problem is that 
because the computation of A requires a division which in a ring is defined only 
when the divisor is a unit, the addition operation on J5’„(a,5) is not always defined. 
The second problem, which is related to the first is that En(a, b) is not a group. 
It would therefore seem impossible to base a cryptographic system on En{a,b). 
However, it is still possible to do so for the following reasons. 

Let n = pq be the product of only two primes as in the RSA system. Moreover, 
the addition operation on En{a. b) described above, whenever it is defined, is equiv- 
alent to the (componentwise defined) group operation on Ep{a,b)xEq(a,b). By the 
Chinese Remainder Theorem, every element c of Zn can be represented uniquely 
as a pair [cp, c,] where Cp € Zg. Thus every point P = (x, y) on En{o,,b) can be 
represented uniquely as a pair [Pp,Pg] = [(cCp, Xp), (Xg, y,)] where Pp € Ep{a,b) and 
Pq G Eq{a,b), with the convention that O is represented by [Op, O,], where Op 
and Oq are the points at infinity on Ep{a,b) and Eq{a,b), respectively . By this 
mapping, all elements of Pp(a, b)xEq{a,b) are exhausted except the pairs of points 
[Pp, P 5 ] for which exactly one of the points Pp and Pq is the point at infinity. Note 
that the addition operation on P„(a, b) described above is undefined if and only if 
the resulting point, when interpreted as an element of Ep{a, b) x P,(a, b), is one of 
these special points. 

It is important to note that when all prime factors of n are large, it is extremely 
unlikely that the sum of two points on En{a, b) is undefined. In fact, if the proba- 
bility of the addition operation being undefined were non-negligible, then the very 
execution of a computation on P„(a., 6 ) would be a feasible factoring algorithm, 
which is assumed not to exist. Therefore, the first problem will cause no difficulties 
in practice. 

The second problem, that Enip-, b) is not a group, can be solved by the following 
lemma. That is, although we cannot use the properties of a finite group directly, 
we can use a property of P„(a, b) which is similar to that of a finite group. The 
following lemma [35] can be easily obtained firom the Chinese Remainder Theorem. 
Lemma Let En{a,b) be an elliptic curve such that gcd(4a^ + 276^, n) = 1 and n = 
pq{p,q: prime). Let Nn be lcm{# Ep{a,b),#Eq{a,b)). Then, for any P G En{a,b), 
and any integer A:, 


(k.N„ + 1),P = P over En{a, b). 

We should note that it is possible to define an elliptic curve over a ring so that the 
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resulting structure is a group. 


3.5 Implementations over F 2 m 

From the addition formulae, it can be seen that two distinct points on an elliptic 
curve can be added by means of three multiplications and one inversion of field 
elements in the imderlying field K, while a point can be doubled in one inversion 
and four multiplications in K. Additions and subtractions are not considered in this 
count, since these operations are relatively inexpensive. We have to select a curve 
and field iif so as to minimize the number of field operations involved in adding two 
points. 

Curves over K = F’ 2 ’" have some specific properties which make them attrac- 
tive for the implementation of cryptosystems. The field F 2 ^ can be viewed as a 
vector space of dimension m over Fo. That is, there exists a set of m elements 
Q'o, Qi, . . . , oc-m-i in Fom such that each a G F-m can be written uniquely in the form 

m-l 

a = ^ OjCkj, where Oi G {0, 1}. 

t=0 

We can then represent a as the 0-1 vector {oq, ai, • • • , Om-i}- In hardware, field ele- 
ment is stored in a shift register of length m. Addition of field elments is performed 
by bitwise XOR-ing the vector representations, and takes one clock cycle. If the 
field elements are represented in a special basis, called normal basis^ then squaring 
is just a rotation operation. But multiplication in a normal basis is quite complex. 
However, it is possible to choose a normal basis, called optimal normal basis., and 
the complexity can be reduced substantially. Curves over Fyr^ with zero ^-invariant 
are advantageous for the following reasons. 

• The arithmetic in Fo"* is easier to implement in computer hardware than the 
arithmetic in finite fields of characteristic greater than 2. 

• When using a normal basis representation for the elements of Fw, squaring a 
field element becomes a simple cyclic shift of the vector representation, and 
thus reduces the multiplication count in adding two points. 

• For curves of zero j-invariant over Fjm, the inverse operation in doubling a 
point can be eliminated by choosing as = 1. 

• For the curves for which m is odd, it is easy to recover the y-coordinate 
of a point given its ;c-coordinate and a single bit of the y-coordinate. This 
is useful in message imbedding, and in reducing message expansion in the 
ElGamal scheme. 
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If a normal basis representation is chosen for the elements of we see that 
doubling a point in E is "free", while adding two distinct points in E can be 
accomplished in two multiplications and one inverter. For the reasons given above, 
curves over ^2™ preferred for hardware implementations like "Smart Card". 

3.5.1 Projective Coordinates 

From the addition formulae, we see that adding two distinct points on a non- 
supersingular curve over F2m takes 2 field multiplications and 1 inversion, while 
doubling a point takes 3 and 1 respectively. Even though there are special tech- 
niques for computing inverses in F2m, an inversion is still far more expensive than a 
field multiplication. The inverse operation needed when adding two points can be 
eliminated by resorting to projective coordinates. 

Let E be the nonsupersinguiar curve y~ + xy = + aos' + a^. over K = Fym. 

E can be equivalently viewed as the set of all points in P'^{K) which satisfy the 
homogeneous cubic equation y~z -t- xyz = -I- aox-z -h a^z^. Here P~{K) denotes 

the projective plane over K. The points of P^{K) are all of the non-zero triples 
in under the equivalence relation ~, where (x, y, z) ~ {x', y', z') if and only if 
there exists a G K* such that x' = ax, y' = ay and z' = az. The representative 
of an equivalence class containing {x, y,z) will be denoted by (x : y ; z). It is to 
be noted that the only projective point in E with z-coordinate equal to 0 is the 
point (0:1:0) which is the point at infinity O of E. If O ^ {x : y : z) G E, then 
{x : y : z) = {x/z : yjz : 1), and so the projective point {x : y : z) corresponds 
uniquely to the affine point {xjz^yjz'). 

Let P = {x\ y\ \ zi) G E, Q = {x2 : yo ■ f) ^ E, and suppose that P,Q ^ 
0,P ^ Q and P ^ —Q. Since P = {x\lz\ : yi/zi : 1) we can use the addition 
formula for E in affine coordinates to find P -k- Q — [x^t : y-^t 1). We obtain 

B- B A 

Ha' = ^ (— + 3 : 3 /] + 13 ' + —, 

j 4. Vzi / Zi 

where A — (ziX2 + xi) and B = {z\y2 -t- y\). 

To eliminate the denominators of the expressions for X3/ and y^i , we set Z3 = 
^^zi, X3 = X3/Z3 and yz = yz'Zz, to get P + Q = (xg : yg : Z3), where 


X3 = AD 

yz = C D A~{Bx\ + Ay\) 

Z3 = A?zu 
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and where C = A + B, and D = A? {A a 2 Zi) + ziBC. From the above formulae 
we can conclude the following. Using projective coordinates, for addition, we need 
13 multiplications as compared to 2 in affine coordinates. However, we avoid the 
costly inversion. Similarly a doubling requires 7 multiplications which is better than 
3 multiplications and 1 inversion. 


3.6 Security Aspects of Elliptic Curves 

3.6.1 Elliptic Curve Discrete Logarithm Problem 

Elliptic curves can be split into two classes, namely those which are supersingular, 
and those that are not. In [43] it is shown that for purposes of solving the discrete 
logarithm problem, these groups could be mapped isomorphically into the mul- 
tiplicative group of an extension of the underlying field. Under this mapping, the 
security of systems based on the two classes of curves differs radically. There are two 
types of algorithms for solving (attacking) the discrete logarithm problem[43], [38], 
namely, general attacks which are independent of the representation of the under- 
lying group, and specific attacks, which depend on the representation as mentioned 
earlier. 

In terms of elliptic curves, the discrete logarithm problem, referred to as the 
elliptic discrete logarithm problem (EDLP), is the following. Let E{Fq) be an 
elliptic curve over and let P be a point in E{Fq). For any point R G< P > (the 
subgroup generated by P), determine an efficient method to find the integer k, 0 < 
k < #P — 1, (#P is the order of P) such that kP = R. 

The most powerful general algorithm, for solving discrete logarithm problem, 
known at present is the baby-step giant-step algorithm of Shanks. Let G be a group 
of order n and consider the interval I{n) of integers from 0 to n — 1. Let a and /? be 
two members of G, and suppose we want to determine (if such exists), an integer 
X in J(n) such that = 3. The algorithm is as follows. Let m = fn]. Then 
precompute a list of pairs {i,cA) for 0 < i < m. Then for each 0 < j < m, 
compute and see if this element is the second component of a member of the 

precomputed list. If = q* for some i,0 < i < m, then 3 = a*'*'-'’”, otherwise 

no solution exists for x. Algorit hms in this class have running times no better than 
0(\/P), where p is the largest prime dividing the order of G. 

The most successful attack on the elliptic logarithm problem so far is a method 
due to Menezes, Okamoto, and Vanstone[43], known as MOV attack. They showed 
that the discrete log problem on an elliptic curve can be reduced to (i.e. has the 
same complexity as) the discrete tog problem in a finite field. This results in a 
subexponential algorithm for EDLP in case of supersingular curves making them a 
bad choice for cryptosystem designs. 

Let E be an elliptic curve over Fq, the algebraic closure of F, • E{Fq) is the set of 
all points in E with coordinates fi:om F, • E{Fq) has finitely many points, whereas 
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E has infinitely many. Define 

E[n] ={P eE :nP = 0}. 

E[n] is called the set of n-torsion points of E. Now for each n, gcd(n, q) = 1, there 
exists a positive integer k such that iJ[n] C E{Fqk) and an isomorphism from E[ri\ 
to a subgroup of Fqk can be computed using the Weil pairing [51]. There exists a 
random polynomial time algorithm for computing the Weil pairing. These results 
form the basis for the MOV attack. 

Let E{Fg) be an elliptic curve over Fq and let P be a point of order n(i.e. 
# < P >= n). To apply the MOV method, if gcd(n, q) = 1, determine the smallest 
value of k such that E[n] C E{Fqk). It is to be noted that a necessary condition for 
P[n] C E{Fqk) is that — 1. Now P is a point of E{Fq) whose log with respect 
to P is s. This logarithm can be found by using the index calculus method for F^k. 
Thus even though the index calculus methods do not apply directly to E{Fq), we 
map a subgroup of this group into an algebraiic structure where the method does 
apply. 

MOV show that, in the case of supersingular curves, MOV becomes a subexpo- 
nential attack. This happens because it can be shown that all supersingular curves 
have very small values of k associated with them. In general, however, nonsuper- 
singuar curves have large values of k associated with them. If A: > log"g, then 
the index calculus method is Fqk become fully exponential and the MOV attack is 
worse than the square root attacks. For an ordinary elliptic curve with q being a 
large prime, there exists an n-torsion subgroup on which the weil pairing can’t be 
defined. This implies that EDLP on E cannot be reduced to DLP in any extension 
field by any embedding for these curves. Miyaji [7] studied EDLP on these curves 
and showed that EDLP E can be reduced to EDLP, to which the MOV reduction 
is possible. Summary of this study is as below. 

• For any elliptic curve E defined over Fom, we can reduce EDLP on E to EDLP, 
to which the MOV reduction is applicable in an expected polynomial time. 

• For a certain ordinary elliptic curve E defined over Fp, there exists EDLP 
on E which which makes any embedding to DLP in any extension field of 
Fp inapplicable. Then such EDLP on E/Fp is secure enough for all known 
attacks. 

Consider a nonsupersingular curve E{Fq) where q = 2^^®. It is known [51] that 
E{Fq) = Z,ii X Zn2 where n 2 |ni. Suppose also that p is a prime dividing rii and that p 
has about 40 decimal digits. For an elliptic curve cryptosystem to be secure against 
the first attack, the order of the curve #E’(F’,) has to contain a large prime factor. 
It is possible to find curves over Fq whose order is divisible by a prime factor with 
upto 46 decimal digits. These curves are secure with present computational skills 
and algorithms available. If the smallest value of k for which E[ni] C E{Fqk) is at 
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least 10, thea the MOV attack requires aa index calculus attack in a field with more 
than 1500 bits. For this elliptic curve, the most efficient way to compute elliptic 
logarithms is by one of the square root attacks which is infeasible for numbers of 
this size. 


3.6.2 Cryptographic Implications 

La Macchia and Odlyzko have recently implemented the Gaussian integer vEiriant 
of the index calculus method, and they were easily able to compute logarit hms in 
Fp, p a 192-bit prime. While the number field sieve has a much better asymptotic 
running time than the Gaussian integer method, it does not seem to be practical for 
fields Fp, where p < 2®^^. For F 2 ”*) recent computations of Gordon and McCurley 
indicate that computing logarithms in Fo*" for about 500 is barely feasible given 
large amounts of computer resources. Therefore it appears that, given the best 
algorithms known for the discrete logarithm problem in finite fields and given the 
best available computer technology, the discrete logarithm is intractable for finite 
fields of size greater than 2®°°. 

3.6.3 A Practical Implementation 

It is worth mentioning that the use of nonsupersingular curves in public key cryp- 
tography provides by far the greatest security per bit of any known public key 
system. It was believed that elliptic curves could not be implemented efficiently, 
and therefore would be of little practical use. But the research group at University 
of Waterloo, has gone the farthest in improving and implementing elliptic curve 
cr 3 rptography in VLSI. They have developed an arithmetic processor [3] in a field 
Foisi which allows an efficient and practical implementation of elliptic curve cryp- 
tosystems. 

In [3], for supersingular curves over Fono, the estimated throughput rate is re- 
ported as approximately 44 * 10^ bits per second. For the nonsupersingular case, 
assuming a hamming weight of 20 and a clock rate of 40 MHz, the approximate 
throughput rate on any nonsupersingular curve over F 21 SS is given as 60 + 10^ bits 
per second. For an unrestricted hamming weight, the approximate throughput is 
40 kbits per second. 

3.7 Elliptic Curve Cryptosystems 

In the following subsections, we shall discuss the elliptic curve analogs of some 
public key cryptosystems discussed earlier. 
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3.7.1 Dijflfie-Hellman Scheme 

We describe bellow the elliptic curve analog of Diffie-Hellman Scheme [34]. Suppose 
that Asha and Balu want to agree upon a key which will later be used in conjunction 
with a classical secret key cryptosystem. They first publicly choose a finite field Fq 
and an elliptic curve E defined over it. Their task is to choose a point in such 
a way that all of their communication with one another is public and yet no one 
other than the two of them knows what Pk is. 

Asha and Balu publicly choose a point Pb £ E to serve as their “base point". 
Pb plays a role similar to the generator in the finite-field Diffie-Hellman system. 
However, in this case Pb need not be a generator of the group of points on E. It 
is enough if Pg is a fixed publicly known point on E whose order is very large such 
that it is either AT or a large divisor of N, where N is the order of the curve. 

To generate a key, Asha chooses a random integer a of order of magnitude q 
which she keeps secret. She computes aPs G E, which she makes public. Similarly 
Balu chooses a random b and makes public bPB £ E. The secret key is then Pk = 
abPB £ E. Both the users can now easily compute the key Pk- For example, in case 
of Asha, a is her secret key and she knows bPB since it is public. However, a third 
party knows only aPB and 6Pg. Without solving the discrete logarithm problem 
there is no way to compute af)Pg knowing only aPe and 6 Pb. 

3.7.2 ElGamal Scheme 

Koblitz suggested a procedure for implementing ElGamal Scheme [34] over elliptic 
curves. Consider an elliptic curve E{Fq) defined over a field Fq with order #E{Fq). 
Let Pb £ E{Fq) be a fixed and publicly known point called the Base Point. Each 
user chooses an integer t?, randomly, such that, 0 < < #P(Pg) and makes the 

point t?iPs public while keeping di secret. 

Message Imbedding 

Before encrypting, messages have to be related to points on the working curve. This 
is called the Message Imbedding. Lengthy messages are made into blocks and each 
block is suitably associated to a point on the curve. This has to be done in a simple 
systematic way, so that the plaintext m, which is an integer in some range can 
readily be determined from the knowledge of the coordinates of the corresponding 
point P„i. The plaintext imbedding is not the same thing as encryption, but enables 
an authorized user of the system to recover m after deciphering the ciphertext point. 

It is to be noted that there is no polynomial time deterministic algorithm known 
for writing down a large number of points on an arbitrary elliptic curve E over 
Fq. However, there are probabilistic algorithms for which the chance of failure is 
very small. Also, it is not enough to generate random points of P(P,); we need a 
systematic way to generate points that are related to m in some way. We describe 
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below a probabilistic method [34] , which we have implemented, to imbed plaintexts 
as points on an elliptic curve E defined over Fg, where q = p'’ is assumed to be 
large. 

Let khea large enough integer so that we are satisfied with a failure probability 
of 1 out of 2^. Let us assume that our message units m are integers 0 < m < M 
and our finite field is chosen so that q > Mk. We write the integers from 1 to Adk 
in the form mk + j, where 1 < j < k. Thus we set up a one-to-one correspondence 
between such integers and a set of elements of Fg. Given m, for each j = 1,2,. .. ,k 
we obtain an element x of Fg corresponding to mk +j. For such an x, we compute 
the right side of the equation 


= f{x) = x^ + ax + b, 
and find a quadratic residue modulo q. 

In practice A: = 30 or at worse k = 50 suffices. In our implementation through 
repeated trials, it was found that the average niimber of tries was 3 (i.e., k = 3) 
and the maximum value of k attained was 8. 

ElGamal Procedure 

Suppose Asha has to send a message Pm. to Balu, Pm 6 E{Fg). She chooses a 
random integer k such that 0 < k < ^E{Fg) and sends the following pair of points 
as the ciphertext to Balu. 

C = {kPb, Pm + ^{^sPb)) 

Here ^bPe is the public key of Balu. 

To decrypt the message, Balu multiplies kPb with his secret key de and subtracts 
k^bPb from the second point in the pair to get the original message. 

Pm = Pm + - ^^(kPb) 

It is clear that there is a message expansion by a factor 2. For each message 
point, two points have to be sent as ciphertext. From the security point of view, 
same k should not be used for consecutive blocks of encryption. If k is used for for 
more than one block, knowledge of one block Pmi of the message enables an intruder 
to compute other blocks as follows. Let Ci and Co be two consecutive cipher blocks 
for the messages P^i and Pm 2 - Using the same k 

Cl = (kPs, Pmi + «(dsPs)) 

Co = (kPs, Pm2 + l^i^BPa)) 

. Subtracting the second points of Ci.and Co we get Pmi — Pm -2 and by knowing one 
the other can be easily calculated. A single elliptic curve E{Fg) defined over a field 
Fg alongwith the base point Pb can be shared by a group of people. The security 
of the system depends on the elliptic curve discrete logarithm problem. 
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3.7.3 ElGamal Scheme over i^ 2 ™ 

Implementation of ElGamal scheme over ^ 2 ™ ([40], [41]) has a slightly different 
approach. Let us consider a non-supersingular curve E : + xy = + 02 ^^ + ^*6 

defined over F 2 m, and let P be a publicly known point on E. Assume that the 
elements of P 2 ’" represented in normal basis. Messages axe considered as ordered 
pairs of elements in P 2 ”>- User Asha randomly chooses an integer a and makes 
public the point aP, and keeps a secret. To transmit the message {Mi, M 2 ) to 
Asha, sender Balu selects a random integer k and computes the points kP and 
qkP = (x, y). Assuming that x,y ^ 0, since the event x = 0 or y = 0 occurs with 
negligible probability for random «, Balu then sends Asha the point kP, and the 
field elements Mix and APy. To read the message, Asha multiplies the point kP 
by her secret key a to obtain aK,P{x,y), from which she can recover Mi and M 2 in 
two divisions. By knowing Mi (or M-^, an intruder can easily obtain M 2 {ot Mi). 
This attack can be prevented by only sending {kP, Mix). 

In this scheme, four field elements are transmitted in order to convey a message 
consisting of two field elements. There is message expansionhy a factor of 2. The 
message expansion can be reduced to 3/2 by sending Xj and only a single bit of yi/xi 
(if xi ^0), instead of sending the point P = (xi,yi). Then yi can be recovered 
as follows. If Xi = 0, then yi = y/oe. If xi ^ 0, then the change of variables 
(x, y) — > (x, xz) transforms the equation of the curve to z = x + a 2 + aex"^. 
Compute a = xi 02 + oexf". To solve the quadratic equation z' + z = a., let 
z = {zo, Zi,..., Zra-i) and a = {ao, aj, . . . , be the vector representations of z 

and a respectively. Then 

Z“ Z = {Zm—l Zq, Zq Zi, . . . , Zjn—2 "b l) (^•^) 

An unique solution z to z^ + z = a can be obtained by choosing zq = 0 or zq = 1. 
This can be obtained by comparing the components oi z- + z and a. The exact 
solution can be obtained by comparing it with the corresponding bit of yi/xi that 
was transmitted, yi is obtained from yi = Xiz. 

For the implementation of this Scheme a throughput of 27 Kbps has been 
achieved using the processor discussed in 3.6.3. 


3.7.4 Elliptic Curve analog of RSA 

For some special classes of elliptic curves the order and group structure are easy to 
compute as given by the following lemmas [35]. 

LEMMA 1 Let p be an odd prime satisfying p = 2 mod 3. Then, for 0 < b < 
p, Ep{0, b) is a cyclic group of order #Pp(0, b) = p + 1. 
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LEMMA 2 Let p be a prime satisfying p = 3 mod 4. Then, for Q < a <p, we 
have ^Ep{a,0) = p + 1 . Moreover, Ep{a,0) is cyclic if a is a quadratic residue 
modulo p and Ep{a,0) = Z^+iy 2 ^ -^2 otherwise. 

In this section, we look into the implementation of RSA based on elliptic curves 
over a ring. We describe here a protocol [35] for RSA public key cryptosystem based 
on elliptic curves sis described in Lemma 1 . Construction of a system using Lemma 
2 is very similar and is not being considered here. 

Key Generation 

User U chooses large primes p and q such that 

p = q = 2 mod 3 

U computes the product 

n = pq, and iV„ = 1cm {#Ep{0, b), #£' 5 ( 0 , b) = Icmip +l,q+ 1 ). 

U then chooses an integer e which is coprime to N^, and computes an integer d such 
that 


ed = l(mod Nf). 

Now, the secret key of U is d, {p,q,^Ep{0,b),#Eg{0,b),Nn), and the public key 
is n, e. 

Encryption 

A plaintext M = {mj,,my) is an integer pair, where G Zn. Let M = 

(ttZi, my) be a point on the elliptic curve E,fO, b), where b is determined by m^ and 

my. 

Asha encrypts the point M by encr 3 rptiou function E{) with Balu’s public key 
e and n as 


C = E{M) = e-M over E„(0, b), 
and sends a ciphertext pair C = (cx,Cy) to Balu. 

Decryption 

Balu decrypts the point C by decryption function D() with his secret key d and 
public key n as 


M = D{C) = d-C over £'n(0, b) 

In this scheme, message imbedding is not a problem as we take two successive 
blocks as coordinates of a point and compute b for this point, which decides the 
curve. This makes this scheme interesting as it is not defined on a single group but 
on a large class of groups, all with the same order. The curve to be used is thus 
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determined by the plaintext to be transmitted. For the class of elliptic curves used 
in this scheme, the addition formula is independent of a and b, and the doubling 
formula is independent of b. Thus, the above protocol does not require computation 
of the value b = mod n. If Lemma 2 is adopted, for the addition formula 

the sender must compute a such that a = (m“ — m\){mx mod n, and the receiver 
must compute a such that a = {(^ — (^) f mod n. 

It is to be noted that in the case of Lemma 1, the minimum possible value of e 
is 5 because 2|iV’„ and S\Nn. In the case of Lemma 2, the minimum possible value 
of e is 3 because 2|iV„. 

Security 

Security of this scheme defined over elliptic curves, like conventional RSA, depends 
on the difficulty of factoring n. Considering the fact that elliptic curve computations 
are difficult, it is worth to probe the need for RSA over elliptic curves. In broadcast 
applications, the original RSA cryptosystem is not secure if the encryption key 
e is small. In other words, an attack based on the Hastad theorem called the 
low exponent attack is effective against this cryptosystem. It has been shown in 
[kuro, kuwa] that RSA-type cryptosystems over elliptic curves such as the KMOV 
and Demytko cryptosystems [REF: 3,4], are more secure than the original RSA 
cryptosystem against the low exponent attack (referred to as low multiplier attack, 
in case of elliptic curves). 

Low Exponent Attack ([36], [25], [37]) 

Theorem (Hastad) 1 Let e and ni be public key of the original RSA cryp- 
tosystem for a receiver Ri{l < i < k). The common plaintext m is encrypted 
as Ci = mod Ui, (1 < i < k) for k receivers. If k > e then the system of 
congurences Ci = m^(mod ni),(l < i < k) can be transformed into the equation 
c = , where c is the combined cyphertext from Cj, (1 < i < e) via the Chinese 

remainder theorem. 

Assume that 3 is chosen as the exponent and that A wants to send the same 
message m to users Ui, Uo and U 3 . She will compute and send pi — 7Ti^(mod ni),i = 
1,2,3. But using the fact that ni,n 2 and n^ are relatively prime a listener who 
knows the values of yi, y^ and y-^ can combine the messages by Chinese remaindering 
to get^77i^(mod nin 2 n 3 ) and since < ninon^ he can recover m. In general if the 
exponent is e the number of messages needed is e. Instead of sending the same 
message m to everybody one can attach the time-stamp or user-ID and thus send 
the encryption of 2‘*^m + t where 2-m is the shifted message and t is the time 
(which will be different for different receivers). The previous attack fails and now 
the problem is (for e = 3) transformed as follows. 

Given {aim -j- fei)-'^(mod rij) where all the Oi and bi are known, recovering m in 
polynomial time. Hastad proved that it is possible through the following theorem. 
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Theorem (Hastad) 2 Given a set of equations Yl'j=o ~ 0 mod i = 1, . . . , ^ 
where x < n and gcd((aijf)*^o, rij) = 1 for all i. Then it is possible to recover x 
in polynomial time in e,k and logyii if 

N > n~ ^ (k + h + l) 3 2 2 i 

where N = = min(ni),/i is the degree of the equation and k is the 

number of equations. 

Therefore, sending more than messages enables an adversary to recover the 

messages and sending linearly related messages using conventional RSA with low 
exponent is also insecure. 

However, this attack is not known against elliptic curve RSA. The security of 
elliptic curve RSA cryptosystems has been evaluated in ([37] and [36]) against the 
Hastad attack. Kuwakado [36] showed that if e > 5 and n = 2’^^, then elliptic RSA 
cryptosystems are secure against the Hastad attack. It is to be noted here that 
from lemma 1 the minimum possible value for e is 5. For this value of e, for k = 428, 
Kmosawa [37] showed that these schemes are not secure if n > 2^°"^. For values of 
n < 2^°'“^ the condition in the theorem above is not satisfied and hence are secure. 



Chapter 4 

Multiple Precision Arithmetic 


4.1 Introduction 

Given the background in the previous chapters, let us now look into the implemen- 
tational aspects of a cryptosystem. It is clear from the earlier discussions that the 
parameters involved in various computations are BIG NUMBERS. For example 
consider working in a field F‘n-^. This would mean that all the computations are 
with 155-bit numbers. Similarly, if we are working in a field Fp where p is a 100 
digit prime, then the computations involve 100 digit numbers. Today to implement 
a secure RSA system, we must be able to manipulate 512-bit numbers. 

To handle numbers of this size we need a tool, often referred to as "multiple, 
precision integer arithmetic" (MPIA) package, which can manipulate numbers 
of large precisions. In general, there are several implementations of MPIA that 
are available. The first significant implementation was by Buell and Ward [19;. 
They developed a package for MPIA and number-theoretic computation on the 
CRAY-2 and it was written entirely in FORTRAN. RSA Laboratories, which liolds 
the patent for the RSA Cryptosystem, has its own MP arithmetic cryptograjjhir 
tool-kit, called RSAREF. This is accessiVjle to only US and Canadian citizens and 
has expcjrt restrictions even for non-c<jmmercial applications. Also, there are other 
implementations specific to certain proce.ssors. Significant among these is an imple- 
mentation on Motorola DSP56000 [20], highly optimized for that processor. Apart 
from these there are multiprecision hbraries like mplib and gmplib in UNIX (nivi- 
ronment. These libraries have the support for just the basic arithmetic and doesn’t 
include any number-theoretic and cryptographic functions. 

The growing importance of data security, comVjined with the increased power 
and omnipresence of PCs, empha.si.se the need for cryptography on the desktop. We 
need an implementation of MPIA that can run on the ubiquitous PCs. We now. 
discuss about how we operate on multiprecision (MP) munbers using a prograimuiug 
language such as C that only goes as far as 32 bits. 
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4.2 Basic Arithmetic with MultiPrecision Num- 
bers (MPs) 

4.2.1 Representation of MultiPrecision Numbers (MPs) 

MPs are represented ([13], [12]) as arrays of type MPJDIGIT, where MP .DIGIT 
depends on the machine. For a 32-bit machine, MPJDIGIT can be defined as an 
unsigned long, which has a size of 32 bits. Each element of the array is a digit in 
the base r representation of the MP, where r = 2'’. For a 32-bit machine we can 
have 6 = 32. The representation of an integer a: as an n-digit array is shown by the 
summation below. 


71—1 

X = ^ x[i]r* 

i=0 

The minimum value of a digit is 0 and the maximum is r — 1. Lower- indexed 
elements of the array are less significant than higher-indexed elements. We can 
therefore define a multiprecision integer to be of type MP TNT which is an array 
of MP_DIGITs. For an MPJDMT a, a[0] is the Is digit of the array, a[l] the rs digit 
(similar to 10s digit), a[2] the r^s digit (similar to 100s digit), and so on. 

For example, 2''’’^-+- 1 (ninth Fermat nvunber) , would be represented as an array 
of 17, 32-bit MPJDIGITs; 


a[0] = 1 

a[l] = a[2] = . . . = a[14] = o[15] = 0 
a[16] = 1 

With C’s built in addition, subtraction, multiplication, and division operators, we 
already have the following abilities. 

• Add two MPJOIGITs, and get the Is digit of the sum (but not the carry-out). 

• Subtract an MP .DIGIT from an MP .DIGIT, arid get the Is digit of the re- 
mainder (but not the borrow-out). 

• Multiply two MP .DIGITS, and get the Is digit of the product (but not the rs“ 
digit). 

• Divide an MP .DIGIT by an MP.DIGIT, and get the quotient, also an MP.DIGIT. 

We have to now build the ability to operate on MP JNT using the above. Adding 
and subtracting MPs is quite easy; multiplying them is harder; and dividing is the 
hardest. In this chapter we wouldnot be discussing normal integer division as divi- 
sion in cryptographic implementations are very specific. The computations involved 
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are always in modular arithmetic where all results are divided by a predetermined 
quantity called the "modulus", and only the remainder is kept. 

Later in this chapter we would discuss a special implementation of modular 
arithmetic due to -Montgomery [45]. This method avoids division in modular reduc- 
tion. Modular exponentiation in particular, are essential and time-critical part of 
the RSA and DSS schemes. We discuss efficient methods for implementing this in 
the next chapter. 

4.2.2 MP Addition 

Adding two MPs is much the same as classroom method. Given a carry-in that’s 
either 0 or 1 and two addend digits (MPJDIGIT), we have to compute the sum 
digit and a carry-out. Since we represent each digit by 32 bits, it’s difficult to get 
the carry-out, but can be accomplished by applying a twist as follows. 

• Add the carry-in to the first addend digit. Let us denote this sum as "subsum" . 

• If the subsmn is less than the carry-in, then there is a carry-out. This is 
because the real sum has wrapped past the maximum digit and it cannot get 
as far as the carry-in. this implies that the carry-in is 1, and the subsum is 
0(< carry-in ). So, write down the second addend digit as the sum digit, and 
go on to the next digit. 

• If subsum > carry-in in the previous step, add the subsum to the second 
addend digit. If the sum digit is less than the second addend digit, we have 
to carry out and otherwise not. 

Example: 

Let us add 4532 to 8097. 

carry 

first addend 
subsum 
second addend 

sum 


10 10 0 e- 

4 5 3 2 ^ 

4 6 3 2 e- 
8 0 9 7 ^ 

1 2 6 2 9 e- 


4.2.3 MP Subtraction 

Subtracting two MPs is just like adding two MPs, exc<^pt that we borrow instead 
of carry. Given a borrow-in that’s either 0 or l,a subtrahend digit, and a minuend 
digit we have to compute a remainder digit and a borrow-out. 
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• Subtract the borrow- in from the subtrahend digit. Let this be the "subre- 
mainder " . 

• If it is more than the maximum digit minus the borrow-in, we have to borrow 
out which means that the borrow-in is 1, and the subremainder is the maxi- 
mum digit. Since the subremainder is the maximum digit, we write down the 
maximum digit minus the minuend digit as the remainder digit and go on to 
the next digit. 

• If there is no borrow-out in the previous step, subtract the minuend digit 
from the subremainder which we write down as the remainder digit. If the 
remainder digit is more than the maximum digit minus the minuend digit, we 
have to borrow out and otherwise not. 

4.2.4 MP Multiplication 

Let us compute a = be, where b and c have n digits, and a has 2n digits. 

Operand Scanning method 

The normal classroom approach to this multiplication can be written down as given 

by the expression below. 


i=0 

This method is referred to as multiplication by "operand scanning". Here we mul- 
tiply by digits of the operand b from least to most significant, following the weiglir.s 
r\ 

Algorithm for operand scanning is shown belf)w. 
a ^ 0 

for i e- 0 to n — 1 
do X 0 

for j ^ 0 to n — 1 

do X X + a[i+j] + b[i]c[j] 
a[i j] ^ X mod r 

X ^ [:c/rj 
a[i A n] X 

In this method we compute the product by accumulating partial products b[i]r‘c 
for each i. There are n iterations. The variable x carries between iterations of the j 
loop. There is no carry between iterations of the i loop. Given below is an example 
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5 4 3 2 ^ 

9 8 7 6 ^ 
0 0 0 0 ^ 
3 2 5 9 2 ^ 

3 2 5 9 2 ^ 

38024 ^ 

4 1 2 8 3 2 
4 3 4 5 6 
4 7 5 8 4 3 2 
4 8 8 0 


multiplicand 
multiplier 
accumulator value 
intermediate product 
accumulator value 
intermediate product 


53646432 


final product 


Product Scanning Method 


The expression below gives a different approach that leads to multipli 
"product scanning," which is‘ similar to convolution in signal processing. 


2n-l nun{k,Ti-l) 

^ b[i]c[k - i] 

k=Q i=uiax(0,^-7i-r- 1) 


Algorithm for product scanning is given below. 


■c ^0 

for A; <— 0 to 2n — 1 

do for i •*— max(0. A: — /i + 1) to miu(A', n — 1) 
do r e- :r + 6[i]c[^• — i] 
a[A‘] e- X 

X [x/rj 


We compute digits of the product a from least to most sigiiihcaiit, following the 
weights Given below is an example for multiplication by product scanning. We 
compute the cross products between pairs of operand digits and their columnwise 
sum, with carry propagation right to left, gives the product. 
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5 

4 

3 

2 

<— multiplicand 




9 

8 

7 

6 

•«— multiplier 

8 

10 

10 

6 

3 

1 


^ carry 




18 

16 

14 

12 




27 

24 

21 

18 




36 

32 

28 

24 




45 

40 

35 

30 





3 

6 

4 

6 

4 

3 

2 

e— product 


It’s clear that in operand scanning, there are rr iterations of the j loop, plas what- 
ever overhead there is in the n iterations of the i loop. Product scanning, on the 
other hand, computes the product by accumulating partial products for each k. 

iniii(A;,n — 1) 
i=max(0,^— 71— 1) 

There are 2n iterations. The variable x accumulates within an iteration of the i 
loop, and between iterations of the k loop. Its value is always less than nr-. If 
n < r then x needs at most three digits. 

The index k — i, like i, is always between 0 and n — 1. On the last iteration 
of k loop, i ranges from n to n — 1, so the i loop has no iterations. There is 
an overhead in the 2n iterations of the k loop. This method is simpler than the 
operand-scanning method and has been proved ([13], [20]) to be 25 percent fa.ster per 
iteration. Although there are more iterations of the k loop here than iterations ot 
the i loop in the operand-scanning method, the additional overhead is not significant 
compared to the savings. 


Comparison 

Product scanning stores each product digit once, not after every multiply. Of course, 
it fetches operand digits before every multiply. But it does not fetch product <Ugits 
at all! In all, product scanning has about one-third fewer memory references than 
operand scanning. It also has many fewer "shifts". 

Product scanning needs more register storage than register scanning. The vari- 
able X in product scanning needs at least three digits, whereas in the operand- 
scanning method needs only one digit. 
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4.3 Modular Arithmetic 

4.3.1 introduction 

Modular reduction is a basic operation in many of the cryptosystems. Computation 
of the form {A * B) mod N is required extensively and repetitively. Hence, even 
a small improvement or optimisation in Modular arithmetic significantly improves 
the throughput of the cryptosystems. Modular multiplicatiph is half multiplication 
and half division. Results are divided by a predetermined quantity (modulus) and 
only the remainder is used. Division takes longer time and is difficult to implement. 
Montgomery multiplication is a good alternative. It can be implemented by both 
product and operand scanning. 

4.3.2 Montgomery’s method 

This method^ [45] uses a novel approach to modular reduction without requiring any 
division operation. Since division is costly to perform, this method is advantageous. 
However in this method, initially, the problem variables are to be transformed into 
a special 7V-residue form. To reduce any integer mod N, we define an alternate 
representation of the integers (0, 1, 2, ..., AT — 1) called montgomery representation. 
We translate normal integers to this new form, do our multiplications and then 
finally translate back the result to the normal representation. 

To form the montgomery representation, we choose some R such that R > N 
and relatively prime to N { gcd{R,N) = 1 ). By choosing R to be some power of 
2, division can be made inexpensive since division by any power of two means just 
right shifts. This also means that N is to be odd as R and N are to be co-primes. 
This is not a constraint since, in cryptosystems, particularly RSA, iV is a product 
of large primes which assures that N is odd. Generally R is chosen to be a power 
of the machine word size. 

Now to represent the integers in {0, ..., AT — 1}, we use the Montgomery repre- 
sentation 


M (x) = xR mod N 

To convert from Montgomery representation to normal representation, we find 
the inverse of R med N under multiplication mod N. Let it be R' . Then the 
inverse of M{x) is 


M'{x) = xR mod N 

Since R and N are relatively prime, these functions are one-to-one on {0, 1,2, ..., N- 
1}. Hence all these integers have a unique representation. 

^"x — y mod n" implies that .x is the least residue of y mod n, and "x == y mod n” means that 
X is congruent mod n to y. 
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Now we find N' such that 

0<N'<R and RR'-NN' = 1 

That is i?' ( 0 < i?' < N ) is the inverse of R under multiplication mod N, 
and N — N' is the inverse of N under multiplication mod R. Either R' or N' can 
be computed using extended euclidean algorithm and the other from the relation 
RR' — NN' = 1. Due to [20] we have a better algorithm to compute the inverse 
of X modulo y for the special case when x is odd and y is a power of 2. Since the 
computation of N' is same as this special case, we fixst compute N' and then R! is 
obtained from the relation RR' — NN' = 1. 

function ModuIarJnverse(N,R) 
begin 

y[i] — 1 

for i := 2 to logo{R) do 

if N * y[i — 1] < 2^*“^^ mod 2* 

then y[i]:= y[i - 1] 

else y[i] := y[i — 1] + 2^*“^^ 

return y[i] 

end 

We now define the procedure REDC(x) which has two uses. The fixst is to 
compute M'{x). That is, it computes the normal representation of an integer, given 
the Montgomery representation. The other is to multiply two niunbers modulo N 
in Montgomery representation with the product in Montgomery form. 

function REDC(x) 
begin 

N' := -N-^ modR (1) 

m ((x mod R) + N') mod R (2) 

t:={x + m*N)/R (3) 

if t < N (4) 

return t (5) 

else return t — N (6) 

end 

It is to be noted that in step 3, r +• mN has to be divisible by R. 

niN = ((r mod R)N' mod R)N == xNN' mod R == —x mod R 
X + mN == x + (-.'c) mod R == 0 mod R 
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Thus R divides x + mN. Also, x + mN == x mod N (siace it is x plus a 
multiple of iV), so tR == x mod N (since t = (^xp mN) JR ) and t == xR! mod N 
(multiplying both sides by i?'). Thus t is congruent mod N to the desired result. 
Since 

m.< R 

X + mN <RN + RN 
{x + mN)/R < 2N 

it implies that if a; < RN, then t < 2N, so either t or t ~ N is the result. Thus 
REDC(x) returns xi?' mod N given 0 < x < RN. The procedure REDC divides 
only by R, so all divisions can be done by shifting out low order bits. The time 
consuming part of REDC is the two multiplications. 

We will now look at multiplying two integers which are in Montgomery repre- 
sentation with the product in Montgomery representation. Suppose the integers are 
X and y, then their Montgomery representations are xR mod N, and yR mod N. 
Now given xR mod N and yR mod N, we have to compute xyR mod N. Since R! 
is the modulo N inverse of R, 

xyR mod N = xRyRR mod N = {xR mod N){yR mod N) * R' mod N 

So if we take the ordinary product of the representations, (xi2 mod N){yR mod N), 
and run it through REDC, we get 

REDC( {xR mod N){yR mod N) ) — xyR mod N. 

Since {xR mod N) and {yR mod N) are both less than iY, their product is 
less than NN which is less than RN, so it forms a valid input for REDC. Thus to 
multiply modulo N, two numbers in Montgomery representation with the product 
in Montgomery form, 

function MontyMult(x,y) 
begin 

return REDC (x * y) 
end 


4.3.3 Multiprecision case 

In actual applications, the parameters N,R dad the input X are multiple-precision 
integers and hence involve multiprecision arithmetic. That is, an integer A is rep- 
resented as a sequence of digits oq, where 

A = a(„-i)b(n-i) + «(»-2)i»(n-2) + + tiiHao and b is the base, typically a power 

of 2 (word size of the processor) and n is the number of digits. Also we choose 
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R = In the function REDC, step-2, instead of computing all of m at once, we 
can do it one digit rrii at a time. This allows us to use a single digit Uq, which is 
— no ^ mod b instead of —N~^ mod R. 

function REDC(x) 
begin 

no ;= — n^^ mod b 
t := X 

for i := 0 to n — 1 do 
begin 

mi := Xi* n(y mod b 
t := t + mi* N 
end 

return t/R 
end 

Similarly, montgomery product of two numbers can be computed using the al- 
gorithm below. 

function MontyMult(A,B) 
begin 

n'o ;= — no ^ mod b 
T:=0 

for i := 2 to n — 1 do 
begin 

T := T + Ai * B * b^ 
mi :=Ti* Uq mod b 
T :=T + mi* N * P 
end 

return T/R 
end 

Let us denote the montgomery reduction modulo N as Mv(). Following obser- 
vations are worth mentioning; 

• It involves only multiplication. The operation mod is just truncation, since 
b is the digit radix. 

• If X and y are between 0 and iV - 1, then y) is between 0 and 2 AT - 1 

and can be reduced modulo N with, at most, one subtraction. 

• It obeys the ususal multiplicative laws: Af^(x, y) = M:^-{y, x); and ATv(A/v(x, y),z) 
M,v(x,M,v(y,z)). The identity is R mod N. 
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• It relates to ordinary modular multiplication through the ratio R mod N. 

mod N), {yR mod N)) = xyR mod N. This implies that the ordinary 
product of montgomery representations is the montgomery representation of 
ordinary product. 

Thus Montgomery multiplication lets us avoid a division at the expense of two 
multiplications. Of course we have the overhead of the conversion to and from 
Montgomery representation. Typically, when exponentiating mod N, intermediate 
results are not translated back to normal representation between multiplications; 
they are left in Montgomery representation until all the multiplications are done. So 
it is a good trade-off considering the large number of reductions to be done before 
converting the result. 



Chapter 5 

Implementation and Results 


5.1 Introduction 

The calculation of modular products are an important part of software implemen- 
tations of many cryptographic protocols such as the well-known RSA Public Key 
algorithm. In these exponential cryptographic systems, there is a need for fast 
modular exponentiation, that is the calculation of 

C = Kr mod n 

where for acceptable levels of security C, M, e, and n are multiprecision numbers. 
Similarly, the basic operation performed on an elliptic curve cryptosystem is the 
computation of multiplicity d • P of a point P on the elliptic curve modulo n. This 
corresponds to the computation of M'’ mod n. Multiplication and squaring in the 
latter is replaced by addition and doubling in the former. For a large n and d (and 
e), the time complexity of elementary operations as well as the number of elementary 
operation are very high. Thus, reducing the number of such opercitions is imporranr 
when implementing the above, algoritluns. By combining ideas from [28] and Dusse 
and Kaliski [20], and exploiting Montgomery’s method [4.5] for modular rediicriou. 
efficient routines have been developed. 

Let us first consider the computatifjn C = KP mo<i n The conventionally used 
algorithm for this is the binary meth<al, de.scribed by Knuth [30]. 

The algorithm is as shown below. 

C ^ M 

for i e- A(e) — 1 to 0 step -1 
lio C <— C~ mod n 
if Cj = 1 

then C ■«— CM mod n 


49 
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The above problem can conveniently be divided into two phases; the squaring 
or multiplication of two large multiprecision numbers, and then their subsequent 
reduction to a remainder when divided by n . This reduces the above calculation to 
a sequence of squarings and multiplications, modulo n , the total number of which 
depends on n(e), the number of Is (hamming weight) in the binary representation of 
the exponent. This method takes A(e)+iy(e) modular multiplications, where A(e)Tl 
is the bit length of the exponent. Let (eA(e), - . - , cq) be the bit representation of e! 
In this method, for each bit of the exponent except the first, squaring is done and 
if the bit is 1, then a multiplication is also done. 

Therefore fast modular exponentiation can be achieved if we have access to fa.sr 
methods for modular squaring and multiplication and also if the hamming weight 
of the exponent can be reduced. 

In case of elliptic curves, the m-ary algorithm for computing R = d ■ P can be 
given as below. 

i? e- P 

for i •«— X{d) — 1 to 0 step -1 
do P ^ 2R 
if dj = l 

then C P + R 

where P and R are points on an elliptic curve. 

So, it is clear that given a method for reducing the hamming weight of d (or e). 
we can reduce the number of elementary operations in the computation of modular 
exponentiation and multiplicity of points. In this implementation IMontgomery's 
modular reduction technique has been used for squaring and multiplication. As- 
discussed in the previous chapter, this gives us an efficient implementation of multi- 
plication and squaring. For exponent reduction, signed binary window method [2t;’! 
has been implemented. This algorithm is applicable to the computation of both 
modular exponentiation and multiplicity of a point on an elliptic curve as will be 
shown in the next section. 

To prove the efficiency of Montgomery’s algorithm, timing tests were conducted 
and the results have been shown in Table 5.1. For each size of the rncxlulus, the mod- 
ulus and the exponent of that size was fixed and random numbers were generated 
for the base. For each random number, computatious were d<iiie with montg(unery 
reduction and normal reduction method. The timings shown are the average of 
several runs for a particular modulus size. 
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Table 5.1: Average computation time for Montgomery reduction in a PC-AT 
486-DX2, eeivfflz 


Size of the 

Normal 

Montgomery’s 

Modulus 

method 

method i 

128 bit 

6 sec. 

.1 .sec. 

256 bit 

9 .sec. 

.5sec. 

512 bit 

14 sec. 

3.55 sec. 

1024 bit 

26 sec. 

5.33 sec. 


5.2 Signed Binary Window Method 


The computation of the kind AP mod n is similar to the basic operation performed 
on an elliptic curve which is the computation of a multiple d.P of a point P on 
the elliptic curve modulo n, For a large n and d. the time complexity of elemen- 
tary operations as well as the number of elementary operation are very high. Thu.s. 
reducing the number of such operations is important when implementing cryptosys- 
tems which are time critical. 

In this section, we describe the signed binary window method proposed by 
Koyama and Tsinuoka [28]. This method is based (ui pre-computation to gen- 
erate an ade([uate addition-subtraction chain fo“ multiplier, the d. In this method 
the multiplier d is not represented in binary 1 t in a special form called signed 
binary representation. This increases the average length of zero runs in a signed 
binary representation of d, and speeds up the binary window method. Evenfhough 
this discussion is specific about computation on elliptic curves, all the results are 
directly applicable for modular exponentiation and will be shown at the end of this 

section. 

All addition chain for a given d is a sequence of positive integers 


1) «■! 


0.0 


a.(= d). 


where r is the number of additions, and Uj = Uj d- a*,, for some k < j < i, for 
all i = 1 2, . .,r. To evaluate d.P or the ordinary binary m<‘thod without pre- 
computatkni ixapiires (3/2) [log. d] multiplications on average The ordinary binary 
method does not always guarantee the minimum nmnber of multiplications (the 
shortest addition chain). Obtaining the shortest addition chain is a AP-( ompk'te 

problem. 


central LIBRAR 

i. I. T., KANPUB 

ln_.. e'V'wwKi y.wn- - - X 

A« m 
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An addition chain can be extended to an addition-subtraction chain, with a rule 
Ui = aj dz Uk in place of = aj -f a*.. This idea corresponds to the evauation of 
using multiplication and division. For integers, division (or the computation 
of a multiplicative inverse modulo n) is a costly operation, and implementing this 
idea does not seem feasible. In case of elliptic curves the division in Zn is replaced 
by a subtraction, which has the same cost as an addition. An addition (subtrac- 
tion) formula on elliptic curves does not contain a division in particularly when 
homogeneous coordinates are used. Thus, the addition-subtraction chain can be 
effectively applied to computations over elliptic curves. 

The Koyama-Tsuruoka method is a window method and the multiplier d is 
represented in signed binary form. For a given number d, this method consists of 
the following four phases; 

• Representation of d 

• Splitting the representation into segments (windows), 

• Comi^uting the segments, 

• Concatenating the segments. 

Representation 

For a given number d, this method uses the signed (three- valued) binary repr<'senta- 

tion T : [f^-i 0 for d satisfying d = Zfjo* ^*2', where t, € {1.0. 1}. 

and 1 (hniotes -1. It is to be noted that in ordinary binary representation B is 
uniquely determined for a given d, but T is not unique. In this method a transform 
algorithm is used to transform B to T such that it increases the average length of 
zero runs and minimizes the weight of T. The average length of the zero runs in T. 
denoted by Z{T), is defined as follows. 

Z(T) = j'Zz(i). 
z(.i) = {'i* < i < L - 1), 

where z{ — l) = 0. 

Let B' be a subsequence of B, and let T be a subsequence of T. A rule for rr;ms- 
forrning B' to eciuivalent T' is as follows. 
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Transformation Rule 

B ; (1 . . . . . .) can be transformed into T' : [10 ... .tj ... 1], where t; = 5^ — 1. 

Let #o(S') be a number of zeroes in S', and let #i(B') be a number of non-zero 
digits in B' . The weight of T is estimated as #i(r') = 2 + X! \ti\ = 2 + E|t'i-l| = 
2 + #o(S'). Thus the weight decreases by the transformation if > 2. 

The transform algorithm inputs B in LSB first order and counts the difference 
D{B') = — #o(.S'), and applies the transformation rule repeatedly to appro- 

priate B' with D{B') > 3. The output of this method is not sparse. The output is 
said to be sparse if no two adjacent digits are nonzero. 

The transform algorithm is given below, 
algorithm transform (input B; array, output T; array) 

begin 

M ;=0; J:=0;y := 0; X := 0; 17 := 0; F := 0; ;= 0;Z:=0 

while X < [log 2 (iJ do begin 

if B[X] = 1 “then y := y + 1 else y := y - 1; 

X := X-f 1; 

if M = 0 then begin 

if y — y > 3 then begin 

while J <W do begin T[J] := S[J]; J := J -f 1 end; 
r[J] ;= -1; J := J + 1; F := y; U := X; M := 1 
end else if y < Z then begin Z :=Y:W := X end 
end else begin 

if F — y > 3 then begin 

while J < U do begin T[J] := S[J] — 1; 7 J + 1 end; 

T[J] := 1 ; J:= J + l;y:=y;lF:=X;A/:=0 
end else if y > F then V \—Y\ L := X end 
end 
end ; 

if A/ = 0 V (M = 1 A F > y) then begin 

while J < X do begin T[J] := B[J] - M'.J := J + 1 end; 

T[J] A/;T[J + ll := M 

end else begin 

while J < 17 do begin T[J] j3[J] - 1; J := J + 1 end; 

T[J] := 1; J := J+l; 

while J < X do begin T[J] := B[J]]J := J + 1 end; 

TCJ] := 1; T[J+1] := 0; 
end 

return T 
end 
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Splitting 

Let u) be the width of the window. T is split into segments with a length at most w. 
The following splitting procedure generates a list of all segments. The input array 
is represented by T. 

procedure split (input T; array, w: inter, output 5: array) 

Let segment list S be empty 
while (length(T) > w) 
begin 

Let W be the left w digits of T. 

Let Rhe T excluding W. 

Let W be W excluding the right O's. 

Let R be R excluding the left O's. 

Add new segment W to segment list S 

r:= R. 

end 

Add last segment T to segment list S 
return S 


Computing the Segments 

In D, the valiu' of ('ach .segment is an odd positive integer upto 2'" — 1. In T. if w > ;h 
the .s('gnient value never becomes 2" - 1 or —(2" — 1) because of the property of 
the transform algorithm. Each segment value is an odd integer from —(2“’ — 5) to 
2'‘' - 3. The absolute values of all segments are obtained by the following simple 
addition sfapunice. (i.e. 1, 2. 3, 5, 7, .... 2'" — 3) 

rtfl = 1, Ui = 2, a-i = 3, Ui — + 2 

(3< i <2“'-' -1) 

Thc'rfd’on', in T, all segment values can be computed by at most 2“'‘ additions. 


Concatenating and the Number of Operations 

Concatenation requires doublings and non-doubling additions. The segment valiK’s 
are concatenated as follows: 
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dP = {{... {{dkP ■ + dk-iP) • + dk-2P ■■■)■ + diP) ■ 2^^ 

The inner most DkP corresponds to the most significant segment, and the exponent 
Zk "t" -^A: 4 -i corresponds to the sum of the length Zk of the following window gap and 
the length of the next segment. 

Let L be the length of B or T. Note that L is A + 1 for B and i is A + 1 or A + 2 
for T. Let Z' be the average length of zero runs in the most significant windows 
for jS or T. In other words, Z' is the average number of C/s deleted in W by the 
splitting algorithm in the beginning. Let Z" be the average length of zero runs 
deleted in R by the splitting algorithm for B or T. The average length of the most 
significant segment is w — Z'. The number of doublings in concatenation is same as 
the length of T(or B) except for the most significant segment. Thus, the number 
of doublings in concatenation is L- {w- Z') for B and T. The average number of 
segments becomes L/{w + Z"), which corresponds to the number of non-doubling 
additions in concatenation. 

Thus, on average, the window method requires R operations: 

where C — for B, and C = 2^”^ — 1 for T. 

In case of modular exponentiation, where d is the exponent in x’^, it can be 
computed from the following relation. 

5.2.1 Implementation 

The routines outlined above have been implemented using C. In order to demon- 
strate the efficiency of SBW method for modular exponentiation, the conventional 
RSA algorithm has been implemented. 

Average time for, RSA computation for bit-size 128,256,512 and computation 
of multipUcity of a point on an elliptic curve are shown in the Tables 5.2 and 5.3 
respectively for Knuth’s binary method and signed binary window method These 
timings are for a PC-AT 486-DX2, running at 66 MHz. Given below is an example 
for SBW method, generated by the program. 
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Table 5.2: Average time for the computation of RSA computation in a PC-AT 
486-DX2, 66MHz 


RSA size 

binary method signed binary 


method 

128 bit 

1.2 sec. 

.25 sec. 

256 bit 

4.3 sec. 

1.75 sec. 

512 bit 

10.26 sec. 

4.86 sec. 


This is an Implementation of KOYAMA-TSURUOKA SBW Method 


The value of 'd' you have typed in is 

436913269784326597843659436 

Enter the window size <4> 

Input in binary form is 

B; 101101001011001111111101111010000011111 
000011101100001110101011010001000010101 
01010101100 
No of bits = 89 


MSD representation is 

T: 10-100-10-1-10-100-1-100000 
000 - 10000 - 1 - 1000010000-10 
001000 - 10 - 10001000 - 10 - 10-1 
00 -1 -1 0001000010101010101 
0 110 0 


The values computed are: 

d_k : 3 -11 -9 -1 -1 -31-11 -5 

L_{k-1} -.34411211131341 
y, -21084443333103 


1-5-9-1155530 

1 3 3 3 2 0 
4 1112 0 
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Table 5.3; Average time for computation, of multiplicity of a point on an elliptic 
curve (d ■ P) 


Size of the multiplier d 


30 digits 
40 digits 
55 digits 
60 digits 


Double k ADD method 


2.0329 sec. 
2.6373 sec. 
3.6813 sec. 
4.0109 sec. 


Signed Binary Window- 
method 

1.7033 sec. 

2.1978 sec. 

3.0769 sec. 

3.2967 sec. 
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5.3 A Package for Computation on Elliptic Curves 

Before starting any implementation over elliptic curves, we need to build a library 
which can support arithmetic over elliptic curves. We have adapted a software 
package for computation on elliptic curves. This software facilitates computation 
using algc'braic: structures and number theory with emphasis on elliptic curves 
The design of the software was inftuenced by SIMATH, a computer algebra system 
developed at the Universitat des Saarlandes in Saarbriicken (Germany). Some of 
the structures have been adapted from SIMATH while due care has been taken to 
optimise the computationally-inteasive portions. SIMATH has been de.signed for 
UNIX systems and runs on HP-UX and SUN OS. We have successfully implemented 
this package' in a PC which was a challenging task. This package works on any PC 
with i3S() and above', and running MSDOS. The porting has given the package a 
wiele'r re'aedi. 

1 he' pae’kage' alse> e'e)nsists eif an interactive calculator which consists eif 

• m;i.uy eif the* system functieins 

• e-e)mpre'he'usive' e'rre)r ediecking 

• ele'taile'el "help fV'ature'.s” . 

An ove'rview of the System 
rilc syste'in consists eef 

• t he' hii.sic system whie'h e-einsists e)f managing programs, moeiified iuput/eiutput 
fuue-tious, and a U.sf system with an automatie- garhaije collector and dy- 
namie- me'iueery administratie)u; 

• a multiple, precision aritlunc.tic pae-kage feir eteimputations ewer Z, TLlfiiTl 
and hidt.e' fie'lds; 

• a poh/nomiul pae'kage' feu' e’omputatieens with pedyneimials in any mmibe'i e)f 
uukne)W!is e>ve*r liny e)f thee struettures e'eintained in the aiithmetic paekage , 

• a matri.r vector pae'kage feir matrix/vector eiomputatieins ewer the strue-ture's 
e'e)ut aine'el in the* arithme'tie; pae'kage anei eiver peilynomial rings, 

• an ('lliptic cu.rve.s iiae'kage with elliptic-curve-specific functiems eiver the strue - 
ture'S e:outaine'el in the arithmetic package; 


• .s()ftwa.r(» lil)rari<‘s tor us('r appla’atioiis; 
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• flip int('ract:ive ('alculator; 

• an User interface: the link between the user and the system; 

Th(> ('llii)tic curve package contains functions for 

• ArithiiK'tic ovc'r I'lliptic curves. 

. ,-ou,hi,„.,l S<-h,.,,f-Slia,ik’s algorithm for counting points on elliptic curves over 

prune hoUis and hnite fields of characteristic 2; 

• algorithm for constructing elliptic curves with a given number of points over 
a givi'ii fi('l(l; 

• conversion from affine to projective coordinates and vice versa. 

1 his p.K k<ig(' has Ix'en usc'd for the implementations discussed in the next sec- 
tion. 

5.4 Implementation of Elliptic Curve Cryptosys- 
tems 

5.4.1 ElCianial Scheme 

The hKianial scheme deseribi'd iu .Section 3.7.2 has been implemented in software. 
Tile software uses three files natiK'ly, pubLkey.elg, priu.ke.y.e.lg. work.cur.ehj. 
piihl ket/.i hi contains th(‘ [mblic k(^ys and primkcy.elg has the. secret key of the 
user. Tlie tile irork eur.elg eoutivius the parameters of the elliptic cm-ve ovi'r which 
the system works. At the start of the program, the curve parameters are read from 
this tile. By elnuiging tin' pararu('t('rs iu the curve, the system can be made to work 
with different set of curves. This makes the .sy.stem very flexible. Shown Ix'low is a 
sample iif llu' fib' trnrk car. rig. Considering an elliptic curve Ep{a.b) repre.scnted 
in shm'l noi in.il form, the file shows the parainetc'rs p,(i,b and the base point P one 
below t 111* < it her in I h.it order. 

199999999999999999999999980586675243082581144187569 

14848662B7620B.S479690802965149417399410907101516048 

917919420 14707744 1 04904 1 76978653306234927 17 1 105946 
( ( 563944706 652136738 357002604 313126945 393227603 470 ) 

( 993312320 850608605 520591648 816554363 190865839 65020 ) 1 ) 


'rh(' soft, war*' consists of th(! following five, modviles. 
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• ProprcK'Pssing 

• E]ncryption 

• Dc'crypHou 

• Koy Gc'uoratiou 

• Postprocessing 


Preprocessing / Postprocessing 

The ('ocryption and d(>cryptiou modules understand only numbers whereas the file 
to be cnci-yi.ted <-onsists of text. This module has to be used inorder to convert 
t('xt: to uunibcrs. Th(' plaintext, has to be preprocessed before passing it onto 
th(' encryption niodiih'. Pr('i)rocessing module takes in a text file and outputs a 
numerical fib' (til(> consisting of just numbers). Each character in a file is converted 
to it s Ab( 11 ('<iui vah'ut, and is stored in a particular format. Postproce.ssing module 
do(>s (‘xaotly t lu' o|)posit('. It takes in a numerical file and outputs the text file. The 
out put til<> from a decryption module is just numbers and has to be po,stproce.ssed 
belbrt' recuveriug t h<' plaiifo'xt. 


Key CJjMKuaiion 

Any new user has to gi't r('gist('r('tl before he <-an receive any encrypted message. 
The user choose.s an IISEH-IL) and enters a random number. This random number 
s(>rves as the users sc'cret k('y k. The program now computes the public key k * P 
for this user where P is tlie BASE POINT of the working curve. The points on 
the <’llij)tie curve are re{)res<'nt('d as a list of projective coordinates. The public toy- 
and tfie sc'cret key are written in the files pubLkey.elg and priv-key.elg respectively. 
Given Ik'Iow is a samide .s('ssion for key generation. 

WORKING CURVE IS EC(a,b) OVER GF(p) where 

a = 148486628762055479690802965149417399410907101516048 
b = 91791942014707744104904176978653306234927171105946 
p = 199999999999999999999999980586675243082581144187569 

The BASK POINT chosen is: 

( ( 56.3944706 662136738 357002604 313126945 393227603 470 ) 

( 993312320 850608605 520591648 816554363 190865839 65020 ) 1 ) 

press any key to continue 
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Enter : 

’1' for encryption. 

’2’ for decryption 
’3' for Key generation 

<3> 

Please enter the USER-ID you require in alphanumeric <ASHA> 

Enter a random number < #EC(a.b)/F_p; This is your secret key. 

<34876 583748743687348756865873478563834534535> 

The public key ’k*P’ of ASHA is : 

( ( 103926098 215304201 712251265 111224613 161140750 33503 ) 

( 758364253 820837412 680992828 253785033 706268666 100574 ) 1 ) 

Key generation successful!!! 
press any key to continue 


A sannili' oi ( h<' tile is .shown below. 


#GANESH 

( ( 412v5C)4800 299764211 1042953185 967922145 444487410 71405 ) 

( 403152028 556419030 38821355 196512697 482737121 19276 ) 1 ) 

#AN.JAN 

( ( B768Hlin 367851042 893614798 61834521 635342672 125718 ) 

( 1010532596 785156749 531332585 83324805 883686276 135944 ) 1 ) 

#UI)AYA 

( ( 346114033 1021482961 152710560 942706862 486534328 121706 ) 

( 395376916 281457862 683395352 88474358 259115801 110712 ) 1 ) 

#MADHU 

( ( 900766780 108765936 433554337 18198582 406153930 61190 ) 

( 72.47!) 1749 359330786 1009904365 200571998 871964376 124938 ) 1 ) 


A sainiile of th(> iih* pvin keij.eliji Is shown Vm'Iow. 


#GANKSH 

984379327498 1 27948723987 198373244534 

#ANJAN 

9827589437S4S36 

#UDAYA 

5864S8734632S4320743S7984798694 

#MADHU 

876437854990430037490843958390483478 
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Encryption / Decryption 


From .i.s<-r point of vi<-w encryption module takes-in a preprocessed file, encrypts it 
and writes tlm output in the file ?.ELG where ? is the the input filename. Simfiarly 
the d(M-ryption module tak('s-m .ELG file and writes the output in the file specified 
by the user. This file has to be then postprocessed to get back the plaintext. Havincr 
explained th<' algorithm in Section 3.7.2, the procedure is best imderstood by the 
example Ix'low. 


Givc'u below IS a. samph' ('iicryption/decryption session. Anjan is assumed to be 
sending a, secret messag(' to Gaiu'sh. The user response is shown within angles ("< 
>"). In our exaiuph's Indow we have used the text file "try.txt" to demonstrate the 
system. Befoiv <mery{.tiug, "try.txt" is to be preproces.sed. Let the preprocessed file 
be "try.uum". Now, "try.num" is the input file to the encryption module. Similarly, 
supi)ose our out put file from tlu' di'cryption module is "try.dec", postprocessing has 
to lie (lone inorder to obtain th(' plaint('xt. Let "try.pla" be the postprocessed file 
which contains the plaintext. 


E L - GAMA I, CRYPTOSYSTEM over ELLIPTIC CURVES 


Press any ktsy to continue 

<r1';turn> 

WORKING CURVE bS KC(a.b) OVER GF(p) where 

a = 1484Ht:ti:>H7fi:>Ohh479fi90802965149417399410907101516048 
b = 9179 1 9470 14707744 104904176978653306234927171105946 
p = 19!)i)!)!)9!>:):J!)9tt9;)999999999980586675243082581144187569 
The HASH POINT .■hci;a-n in; 

( ( hG.394470ti t:.S2 1,307.38 357002604 313126945 393227603 470 ) 

( 993312.320 850008005 520591648 816554363 190865839 65020 ) 1 ) 

press any key to continue 

<RETURN> 


Enter: 

'1' for eueiyption 
*2’ for decrypt ion 
’3’ for Key generation 


< 1 > 



Chip- huplonumtntuni and Results 


62 


Tal)l<‘ n.li: 'riinin,t^ dvtulls for ElUpticvElGamal Encrypt 

of size iKbytf' and koysi/.c' of 4() digits 


ion and Decryption of a file 


^ ^ I' encryption DECRYPTION 


4S()DX-3;JMHz 158 sec. 

48()DX-()()MHz 90 sec. 

Pentiinu-lOOMHz 44 sec. 


54 sec. 
29 sec. 
14 sec. 


Enter Your IDENTITY; <ANJAN> 

ID check O.K. 

Ent e r R<i c e i v t ; r ’ r. I DENT IT Y : <GANESH> 

ID check O.K. 

file to be encryptiui : <TRY.inJM> 

ENCRYPTING! ! ! 

Encryption process successful! II 

presr. any key to continue 

Enter: 

’1’ for encryption 
’2' for decryption 
’3' for Key generation 

Enter Your IDENTITY: 

ID cheek O.K. 

file to iHi decrypted ; 
output filename: 

DECRYPTING ' I ! 

Decryption process successful! I I 

press any key to continue 

<Type any key other than ’1’, ’2’ and ’3’ to exit> 


< 2 > 

<GANESH> 

<TRY . ELG> 
<TRY.DEC> 


Summary 


The generated keys are availalde in th<^ fihss, 
program reads the iletails of the curve over 


"pubLke.^elg" and "priv_key.elg". The 
which till systt'iu works, from tlie file 
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Table 5.4: Timing details for Elliptic-RSA Encryption and Decryption of a tile of 
size 1Kbyte and keysize of 40 digits 


MACHINE 

486DX-33MHZ 
486Dx-66MHz 
Pentium- 1 OOMHz 


ENCRYPTION 

52 sec. 

29 sec. 

14 sec. 


DECRYPTION I 

51 sec. I 
29 sec. 

14 sec. i 


"work_cur.elg". To make the system work for a new curve, the file "workxur.elg" 
has to be updated. Encrypted output is always available in the file input-filename. elg. 
For eg: if the input file for encryption is "try.num" then the output is written in 
"try.elg”. eventually "try.elg" would be the input file for the decryption module. 
The Table 5.3 shows the encryption and decryption time, in various PCs. 


5.4.2 RSA Scheme 

The RSA scheme described in Section 3.7.4 has been implemented in software. The 
lermna 1 in that section has been ased for the implementation. The function and 
usage of this software is exactly like the ElGamal .software except for the algoiithm^. 
A svunmary of the implementation is given below. 


Summary 

The <>-euerated keys are, available, in the files, "publ_key.r.sa" and "pnvTey.rsa . En- 
.-rypred output is always available in the file input-tileiiame.rsa. For eg: if the input 
file for encryption is "try.num" then the output is written m "try.rsa". eventually 
"tryrsa" would be the input file for the decryption module. A point to be note.l 
here is that there is no need for a file like "work.cur.rsa". This is because, the cm-ve 
depends on the message block and varies with the message block as explained m 
Section 3.7.4. In other words, elliptic curve analog of RSA doesriot 
single curve but on a class of curves all with the same order. The liable a.4 .sh w.s 
the encryption and decryption time in various PCs Having de.scnbe<l the 

in Section 3.7.4, given below are samples of "publ-key.r.sa and priv.key.rsa . Al. 

shown is an example session of the software. 

A sample of the file publJkey.rsa is shown below. For each mser, n and e aia* 
0116 bo low the other. 



Chap. 5: Implementation and Results 


64 


#KUMAR 

211264895256552106288097984310241340329 
1 167380422695862202428134786208090021 1 

#ASHA 

448559004770032616669835444763471 

40552505987272305758924050773329 

#BALU 

3183532129328529632103818026301237025243290274359660239175630914099 

155855123759236589106632136042964677551141400765642239810797715225 

#PANKAJ 

211264895256552106288097984310241340329 

11673804226958622024281347862080900211 

A sample of the file privJcey.rsa is shown below. For each user, n and d are given 
one below the other. 


#KUMAR 

211264895256552106288097984310241340329 

17867267186943391525959595439825517581 

#ASHA 

448559004770032616669835444763471 

63357534928474681606758059185973 

#BALU 

3183532129328529632103818026301237025243290274359660239175630914099 

350388442930323509530159590616151146561431047995918918491560928893 

#PANKAJ 

211264895256552106288097984310241340329 

17867267186943391525959595439825517581 


An example .session for Elliptic RSA encryption followed by decrypticjii: 


R S A CRYPTOSYSTEM over ELLIPTIC CURVES 


Enter: 

’1' for encryption 
for decryption 
’3’ for Key generation 


Enter Your IDENTITY : 


<1> 

<ASHA> 
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ID check O.K. 

Enter Receiver's IDENTITY: <BALU> 

ID check O.K. 

file to he encrypted : <try.n'uiQ> 

ENCRYPTING ! ! ! [beep ! ] 

[beep!] 

Encryption process successful!!! 

Time taken for encryption is 29.000000 sec. 
press any key to continue 

Enter : 

’1' for encryption 
'2' for decryption 
'3' for Key generation 

< 2 > 

Enter Your IDENTITY: <BALU> 

ID check O.K. 

file to be deciphered = <try.rsa> 

output filename = <try.dec> 

DECRYPTING!!! [beep!] 

[beep!] 

Time taken for decryption is 29.000000 sec. 
Decryption process successful!!! 
press any key to continue 

A sample session for Key Generation: 


Please enter the USER-ID you require in alphanumeric 
Enter the Key size in digits: 

The Public Key is: 

n : 6554476486728736331493249419309227 

e : 45932180240125755507133997764499 

The Secret Key is: 

d: 1252352083485704826691742851787 

p: 92793613865686541 

q: 70634995380349847 

#E_p(0,b): 92793613865686542 

#E_q(0,b): 70634995380349848 

N_n: 364137582596040916384547703630312 


<ASHA> 

<17> 
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5.5 Conclusion 

In this thesis we looked into various aspects of implementing a cryptosystem. We 
discussed few techniques for efficient computation with specific reference to elliptic 
curve cryptosystem. The effectiveness of these algorithms were tested through im- 
plementations and checked. The combination of Montgomery reduction with signed 
binary window method was found to be effective. Montgomery technique is effective 
in not only software but also in hardware. This has been studied in [5] and [221 = 
This would be of extreme importance in applications requiring high throughput like 
voice encryption etc. Through this thesis we have developed a platform for per- 
forming computation on elliptic curves. Also, encryption schemes on elliptic curves 
have, been implemented and demonstrated. Even though the encryption rate is too 
low, the software implementation can be used to study the implementation over 
various curves. 

Still lot more can be done for improving the computation on elliptic curves. 
In this thesis we have not looked into the implementation over Galois fields. The 
bottleneck in a high-speed implementation is the complex group algebra involved in 
the computation. Especially arithmetic in Galois field is time consuming and has 
to be efficiently implemented. The impact of various basis of representation of field 
elements has to be evaluated. Optimal normal basis has been found to be efficient 
for hardware implementations. But their impact on software implementation has 
to be studied. Oflate so many encryption schemes and signature schemes have been 
proposed. A study of these implementations and their suitability for implemen- 
tation over elliptic curves can be examined. Another aspect wliich we have not 
covered here and which is most important is the design of elliptic^ ciuves suitable 
for cryptosystems. 
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